{ "id": "31015c58-799b-4550-bd00-9dd9913ff3f5", "created_at": "2026-04-06T00:15:41.719136Z", "updated_at": "2026-04-10T03:37:23.773729Z", "deleted_at": null, "sha1_hash": "9e56e0b4dfd862330c7e428c734c1c6c235fa190", "title": "From Word to Lateral Movement in 1 Hour", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 854888, "plain_text": "From Word to Lateral Movement in 1 Hour\r\nBy editor\r\nPublished: 2021-06-20 · Archived: 2026-04-05 22:03:08 UTC\r\nIntroduction \r\nIn May 2021, we observed a threat actor conducting an intrusion utilizing the IcedID payloads for initial access.\r\nThey later performed a number of techniques from host discovery to lateral movement, using RDP and SMB to\r\naccess the file servers within an enterprise domain.\r\nIcedID (known as BokBot) first observed in 2017, continues to be an active and capable threat against both\r\nindividuals and organizations. The IcedID malware utilizes a modular malware framework and incorporates a\r\nnumber of anti-forensic and defense evasion capabilities. This malware has like others before it moved into the\r\ninitial access broker market being used as an entry point for follow on activity like Cobalt Strike, and has lead to\r\nmultiple domain wide ransomware deployments such as Revil and Conti.\r\nSummary \r\nWe assess with medium confidence that the initial IcedID infection was delivered via a malspam campaign, which\r\nincluded an attachment with a password protected zip archive. Once extracted, the user would find a Word\r\ndocument with a macro, which upon execution, would deliver the initial DLL loader. Discovered in 2017, what\r\nstarted as a commodity malware, IcedID is now currently being deployed as an initial access broker by\r\nransomware threat actors.   \r\nIn this case, the threat actor appeared to have specific goals, and did not waste any time. Within 35 minutes after\r\nthe initial infection, they made their way in to the network via a Cobalt Strike Beacon deployed from the IcedID\r\ninfected host.  \r\nThe first task of the threat actor was to enumerate the network by establishing a list of the domain admins using\r\nliving off the land techniques, such as net.exe. A freely available tool Adfind.exe was also utilized to further\r\nenumerate the domain. The threat actor was also observed stealing credentials from the lsass.exe process. \r\nFive minutes after the above discovery activity, we observed the actors moving laterally to other hosts on the\r\nnetwork with the credentials of a domain administrator account. In this case, Cobalt Strike was also used to create\r\nthe administrative token, and attempted to install a service using a windows service executable. The service was\r\ntasked to run an encoded PowerShell command which would download and execute the Cobalt Strike beacon over\r\nHTTP.\r\nBased on the name of the hosts that the threat actors decided to pivot, we judge that they were able to digest the\r\n‘AdFind’ results and focus on, what they believed to be, important targets – critical assets such as file servers,\r\ndomain controllers, etc. It is also worth mentioning that even after the unsuccessful remote execution attempt\r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 1 of 18\n\nagainst a few servers due to AV, the actors decided to connect via RDP and spend over an hour looking for\r\nvaluable data before disconnecting and leaving the network. \r\nNo exfiltration of data or impact to the systems was observed but at least one command and control. It is unclear\r\nwhy the actors decided not to continue with their operation. No attempt was made to clean up the intrusion by the\r\nactors – artifacts that were deployed were still in operation, including C2 implants. \r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such\r\nas Cobalt Strike, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found here.\r\nThe Cobalt Strike server used in this attack was added to our Threat Feed on 5/7/21.\r\nWe also have artifacts available from this case such as pcaps, memory captures, files, Kape packages, and more,\r\nunder our Security Researcher and Organization services.\r\nTimeline \r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 2 of 18\n\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 3 of 18\n\nAnalysis and reporting completed by @kostastsale and @_pete_0\r\nReviewed by @tas_kmanager and @v3t0_\r\nMITRE ATT\u0026CK v9\r\nInitial Access \r\nThe first stage of the IcedID malware that was executed on the host was dropped via a macro enabled Word\r\ndocument – as seen by Unit42.\r\nIOCs from Brad here.\r\nIn our case, the IcedID dll loader was manually executed using regsvr32.\r\nPersistence \r\nFrom the initial access, a scheduled task was created. This can be observed by EventID 106: New task registered: \r\nInspection of the task file located under ‘c:\\windows\\system32\\tasks’: \r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 4 of 18\n\n‘License.dat’ is an encrypted binary file and is a tell-tale indication of an IcedID compromise. The corresponding\r\nDLL (upefkuin4.dll) is used with license.dat to maintain persistence using the Task Scheduler. After decrypting\r\nLicense.dat using Binary Defense’s decryption tool, we can see some information stealing functionality:\r\nEventID 200: Task executed shows the persistent IcedID core being executed, on average every 1 hour via\r\nRundll32.exe. \r\nCredential Access \r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 5 of 18\n\nThe LSASS process was accessed by an unusual process “wuauclt.exe” on the beachhead host. This was the\r\nCobalt Strike Beacon and was used to access the credentials.  \r\nEventID: 10\r\nDescription: Process Access\r\nSourceImage: \"C:\\Windows\\system32\\WUAUCLT.exe\"\r\nTargetImage: “C:\\Windows\\system32\\lsass.exe”\r\nGrantedAccess: 0x1FFFFF\r\nCallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9c584|C:\\Windows\\System32\\KERNELBASE.dll+2730e|UNKNOWN(00000\r\nThis is not the first time we have observed this process (wuauclt.exe) being used. In our previous report with\r\nanother IcedID infection leading to Sodinokibi ransomware we also observed the same process being used. \r\nThe same process was also observed invoking PowerShell scripts: \r\n“Wuauclt.exe” is normally used for the Microsoft Windows Update Service and this was an attempt to blend into\r\nthe OS environment. \r\nDiscovery \r\nDiscovery commands were run by IcedID during the initial execution on the beachhead. These commands use the\r\nMicrosoft Windows built-in commands and utilities, such as WMIC, ipconfig, etc. The aim was to determine the\r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 6 of 18\n\ninstalled Anti-virus software, network configuration, domain configuration and user accounts. The following are\r\nthe commands that were executed: \r\nWMIC /Node: localhost /Namespace: \\\\root \\SecurityCenter2 Path AntiVirusProduct Get * /Format: List\r\nipconfig /all\r\nsysteminfo\r\nnet config workstation\r\nnltest /domain_trusts\r\nnltest /domain_trusts /all_trusts\r\nnet view /all /domain\r\nnet view /all\r\nUsing the information gathered, the IcedID operator was able to focus on specific targets, obtaining access to the\r\nprivileged accounts and the high value hosts. \r\nOnce the IcedID operators were able to establish a C2 session to the initial compromised host, the operators were\r\nobserved executing the following command: \r\nnet group \"domain admins\" /DOMAIN\r\nInterestingly, we observed the operator deploying and utilizing AdFind to collect information about the hosts on\r\nthe network. AdFind is an Active Directory query tool developed by JoeWare, a useful utility for system\r\nadministrators, but also  popular among threat actors. \r\ncmd.exe /C C:\\Recovery\\AdFind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName\r\nAdFind was transferred and executed on the beachhead host. The threat actor placed the AdFind binary and the\r\nresults in the ‘C:\\Recovery’ folder. We assess this folder location was chosen to avoid raising suspicion, as\r\ncompared to executing from a user or temporary folder location. \r\nLateral Movement \r\nThe threat actors attempted and successfully managed to pivot laterally to various hosts on the domain. This was\r\nachieved by connecting via SMB and starting a service that would execute an encrypted PowerShell command\r\nwith embedded Cobalt Strike SMB beacons.\r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 7 of 18\n\nThe PowerShell is base64 encoded. Decoding the PowerShell shows that the SMB pipe is named\r\n\\\\.\\pipe\\halfduplux_9e.  \r\nUsing the ‘Administrator’ account, SMB sessions were established to the hosts, primarily using ADMIN$, but\r\nIPC$ was also observed. \r\nThis activity triggered two Emerging Threat (ET) alerts related to RPC access and binary execution, “ET RPC\r\nDCERPC SVCCTL – Remote Service Control Manager Access” and “ET POLICY SMB2 NT Create AndX\r\nRequest For an Executable File”. \r\nCommand and Control \r\nIcedID:\r\nThroughout the intrusion the threat actor used a mix of Port 80 and 443 for C2. Port 80 was observed in the\r\ncommunication to testsubnet[.]com which contains a HTTP Cookie in the format:\r\nwordpress_\u003cBase64EncodedString\u003e. This activity was observed at a rate of every 2-4 seconds. \r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 8 of 18\n\nallnezokila[.]cyou\r\n2tothepollo[.]top\r\ndaserekolut[.]top \r\n194.5.249[.]81\r\ndsedertyhuiokle[.]top\r\n5.149.252[.]179\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ec74a5c51106f0419184d0dd08fb05bc\r\nCertificate: [9b:84:ff:5d:0a:27:25:f6:a3:b3:b8:83:bd:36:50:88:4b:c7:20:06 ]\r\nNot Before: 2021/04/28 15:18:08\r\nNot After: 2022/04/28 15:18:08\r\nIssuer Org: Internet Widgits Pty Ltd\r\nSubject Common: localhost\r\nSubject Org: Internet Widgits Pty Ltd\r\nPublic Algorithm: rsaEncryption\r\nCobalt Strike:\r\ntestsubnet.com\r\n82.117.252.32\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJa3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate: [92:da:38:08:d9:a0:67:2f:e5:67:2e:f0:40:d6:06:21:89:2c:54:cc ]\r\nNot Before: 2021/04/22 07:13:54\r\nNot After: 2021/07/21 07:13:54\r\nIssuer Org: Let’s Encrypt\r\nSubject Common: testsubnet.com [ns1.testsubnet.com ,ns2.testsubnet.com ,ns3.testsubnet.com\r\n,ns4.testsubnet.com ,testsubnet.com ]\r\nPublic Algorithm rsaEncryption\r\nCobalt Strike Beacon Config\r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 9 of 18\n\nPort 80\r\n{\r\n \"x64\":{\r\n \"time\":1621059211662.0,\r\n \"md5\":\"a30f7a3d511ddb7e2f856f6b4c9ea7be\",\r\n \"config\":{\r\n \"Polling\":58302,\r\n \"C2 Server\":\"testsubnet.com,\\/ky\",\r\n \"Method 1\":\"GET\",\r\n \"Method 2\":\"POST\",\r\n \"Beacon Type\":\"0 (HTTP)\",\r\n \"Jitter\":37,\r\n \"Port\":80,\r\n \"Spawn To x86\":\"%windir%\\\\syswow64\\\\WUAUCLT.exe\",\r\n \"Spawn To x64\":\"%windir%\\\\sysnative\\\\WUAUCLT.exe\",\r\n \"HTTP Method Path 2\":\"\\/ky\"\r\n },\r\n \"sha256\":\"1636859125648337be180f36ca54bce1f64e20d3a5d0a22ab5d0a99860e268cd\",\r\n \"sha1\":\"8686f6b651ce3869bdb67f766215b5b030b75cf6\"\r\n },\r\n \"x86\":{\r\n \"time\":1621059210330.3,\r\n \"md5\":\"c86cc90291ab6807eda6dc23c53a57c7\",\r\n \"config\":{\r\n \"Polling\":58302,\r\n \"C2 Server\":\"testsubnet.com,\\/ky\",\r\n \"Method 1\":\"GET\",\r\n \"Method 2\":\"POST\",\r\n \"Beacon Type\":\"0 (HTTP)\",\r\n \"Jitter\":37,\r\n \"Port\":80,\r\n \"Spawn To x86\":\"%windir%\\\\syswow64\\\\WUAUCLT.exe\",\r\n \"Spawn To x64\":\"%windir%\\\\sysnative\\\\WUAUCLT.exe\",\r\n \"HTTP Method Path 2\":\"\\/ky\"\r\n },\r\n \"sha256\":\"d1057cc0a144418ee3ae350fe1a1f70705df03d6455997751773e260568e8651\",\r\n \"sha1\":\"03f57b0356467a54c4e6537fff4756cbb52a729e\"\r\n }Port 443\r\n{\r\n \"x64\":{\r\n \"time\":1621059212744.4,\r\n \"md5\":\"95d0a4208e72b4015d7cc18e7bcffe77\",\r\n \"config\":{\r\n \"Polling\":58302,\r\n \"C2 Server\":\"testsubnet.com,\\/ur\",\r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 10 of 18\n\n\"Method 1\":\"GET\",\r\n\"Method 2\":\"POST\",\r\n \"Beacon Type\":\"8 (HTTPS)\",\r\n \"Jitter\":37,\r\n \"Port\":443,\r\n \"Spawn To x86\":\"%windir%\\\\syswow64\\\\WUAUCLT.exe\",\r\n \"Spawn To x64\":\"%windir%\\\\sysnative\\\\WUAUCLT.exe\",\r\n \"HTTP Method Path 2\":\"\\/ky\"\r\n },\r\n \"sha256\":\"6f2a49796f4ea603bb63e31ac24579af2eacd937ecfe335ea2437745462a8d5d\",\r\n \"sha1\":\"84c1e6d042a6c4fb38f2083ea1ce0591a3162aec\"\r\n },\r\n \"x86\":{\r\n \"time\":1621059209510.8,\r\n \"md5\":\"f218b1297cd3d9d567dd2e6cbc6c7afe\",\r\n \"config\":{\r\n \"Polling\":58302,\r\n \"C2 Server\":\"testsubnet.com,\\/ur\",\r\n \"Method 1\":\"GET\",\r\n \"Method 2\":\"POST\",\r\n \"Beacon Type\":\"8 (HTTPS)\",\r\n \"Jitter\":37,\r\n \"Port\":443,\r\n \"Spawn To x86\":\"%windir%\\\\syswow64\\\\WUAUCLT.exe\",\r\n \"Spawn To x64\":\"%windir%\\\\sysnative\\\\WUAUCLT.exe\",\r\n \"HTTP Method Path 2\":\"\\/ky\"\r\n },\r\n \"sha256\":\"4875c6abfa0d5658ec2f6f082300380f983d9505cddd0e81627470d3d941f2e4\",\r\n \"sha1\":\"9fde1a8103b7a19e617681555ecc4d27b9fb2492\"\r\n }\r\n}\r\nExfiltration \r\nNo exfiltration was observed; however, we were able to determine that access to the File server was achieved,\r\nwith multiple access attempts and successes.  \r\nImpact \r\nNo impact was observed nor any follow-on activities to deny, disrupt or destroy data or systems.  \r\nIOCs\r\nNetwork\r\nIcedID C2\r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 11 of 18\n\nallnezokila[.]cyou\r\n2tothepollo[.]top\r\ndaserekolut[.]top\r\n194.5.249[.]81|443\r\ndsedertyhuiokle[.]top\r\n5.149.252[.]179|443\r\nCobaltStrike C2 \r\ntestsubnet[.]com\r\n82.117.252[.]32|80\r\n82.117.252[.]32|443\r\nFiles\r\nupefkuin4.dll\r\n332cd0a48e0f7be3e132858877430c90\r\nc63f98d65e809a8f461ca5c825f056b93ccc1eb0\r\n666570229dd5af87fede86b9191fb1e8352d276a8a32c42e4bf4128a4f7e8138\r\nlicense.dat\r\n3c6263a9c4117c78d26fc4380af014f2\r\neca410dd57af16227220e08067c1895c258eb92b\r\n29d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e\r\nAdFind.exe\r\n12011c44955fd6631113f68a99447515\r\n4f4f8cf0f9b47d0ad95d159201fe7e72fbc8448d\r\nc92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\r\nDetections\r\nNetwork\r\nET RPC DCERPC SVCCTL – Remote Service Control Manager Access \r\nET POLICY SMB2 NT Create AndX Request For an Executable File \r\nET DNS Query to a *.top domain – Likely Hostile\r\nET INFO HTTP Request to a *.top domain\r\nET TROJAN W32/Photoloader.Downloader Request Cookie\r\nET POLICY OpenSSL Demo CA – Internet Widgits Pty (O)\r\nSigma\r\nSuspicious In-Memory Module Execution \r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 12 of 18\n\nSuspicious Encoded PowerShell Command Line \r\nMalicious Base64 Encoded PowerShell Keywords in Command Lines \r\nSuspicious PowerShell Parent Process \r\nAbused Debug Privilege by Arbitrary Parent Processes \r\nNon-Interactive PowerShell \r\nPowerShell Network Connections \r\nYARA \r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2021-06-09\r\nIdentifier: 3930\r\nReference: https://thedfirreport.com\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule icedid_upefkuin4_3930 {\r\nmeta:\r\ndescription = \"3930 - file upefkuin4.dll\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-06-09\"\r\nhash1 = \"666570229dd5af87fede86b9191fb1e8352d276a8a32c42e4bf4128a4f7e8138\"\r\nstrings:\r\n$s1 = \"UAWAVAUATVWSH\" fullword ascii\r\n$s2 = \"AWAVAUATVWUSH\" fullword ascii\r\n$s3 = \"AWAVATVWUSH\" fullword ascii\r\n$s4 = \"update\" fullword ascii /* Goodware String - occured 207 times */\r\n$s5 = \"?ortpw@@YAHXZ\" fullword ascii\r\n$s6 = \"?sortyW@@YAHXZ\" fullword ascii\r\n$s7 = \"?sorty@@YAHXZ\" fullword ascii\r\n$s8 = \"?keptyu@@YAHXZ\" fullword ascii\r\n$s9 = \"*=UUUUr#L\" fullword ascii\r\n$s10 = \"*=UUUUr!\" fullword ascii\r\n$s11 = \"PluginInit\" fullword ascii\r\n$s12 = \"*=UUUUr\\\"\" fullword ascii\r\n$s13 = \"AVVWSH\" fullword ascii\r\n$s14 = \"D$4iL$ \" fullword ascii\r\n$s15 = \"X[]_^A\\\\A]A^A_\" fullword ascii\r\n$s16 = \"D$4iT$ \" fullword ascii\r\n$s17 = \"H[]_^A\\\\A]A^A_\" fullword ascii\r\n$s18 = \"L94iL$ \" fullword ascii\r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 13 of 18\n\n$s19 = \"D$ iD$ \" fullword ascii\r\n$s20 = \"*=UUUUr \" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 700KB and\r\n( pe.imphash() == \"87bed5a7cba00c7e1f4015f1bdae2183\" and ( pe.exports(\"?keptyu@@YAHXZ\") and pe.export\r\n}\r\nrule icedid_license_3930 {\r\nmeta:\r\ndescription = \"3930 - file license.dat\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-06-09\"\r\nhash1 = \"29d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e\"\r\nstrings:\r\n$s1 = \"iEQc- A1h\" fullword ascii\r\n$s2 = \"%n%DLj\" fullword ascii\r\n$s3 = \"n{Y@.hnPP#5\\\"~\" fullword ascii\r\n$s4 = \"(5N\u0026#jUBE\\\"0\" fullword ascii\r\n$s5 = \"~JCyP+Av\" fullword ascii\r\n$s6 = \"iLVIy\\\\\" fullword ascii\r\n$s7 = \"RemwDVL\" fullword ascii\r\n$s8 = \"EQiH^,\u003eA\" fullword ascii\r\n$s9 = \"#wmski;H\" fullword ascii\r\n$s10 = \"aHVAh}X\" fullword ascii\r\n$s11 = \"GEKK/no\" fullword ascii\r\n$s12 = \"focbZjQ\" fullword ascii\r\n$s13 = \"wHsJJX\u003ee\" fullword ascii\r\n$s14 = \"cYRS:F#\" fullword ascii\r\n$s15 = \"EfNO\\\"h{\" fullword ascii\r\n$s16 = \"akCevJ]\" fullword ascii\r\n$s17 = \"8IMwwm}!\" fullword ascii\r\n$s18 = \"NrzMP?\u003c\u003e\" fullword ascii\r\n$s19 = \".ZNrzLrU\" fullword ascii\r\n$s20 = \"sJlCJP[\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x02ee and filesize \u003c 1000KB and\r\n8 of them\r\n}\r\nrule icedid_win_01 {\r\nmeta:\r\ndescription = \"Detects Icedid\"\r\nauthor = \"The DFIR Report\"\r\ndate = \"15/05/2021\"\r\ndescription = \"Detects Icedid functionality. incl. credential access, OS cmds.\"\r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 14 of 18\n\nsha1 = \"3F06392AF1687BD0BF9DB2B8B73076CAB8B1CBBA\"\r\nscore = 100\r\nstrings:\r\n$s1 = \"DllRegisterServer\" wide ascii fullword\r\n$x1 = \"passff.tar\" wide ascii fullword\r\n$x2 = \"vaultcli.dll\" wide ascii fullword\r\n$x3 = \"cookie.tar\" wide ascii fullword\r\n$y1 = \"powershell.exe\" wide ascii fullword\r\n$y2 = \"cmd.exe\" wide ascii fullword\r\ncondition:\r\n( uint16(0) == 0x5a4d and int32(uint32(0x3c)) == 0x00004550 and filesize \u003c 500KB and $s1 and ( 2 of\r\n}\r\nrule fake_gzip_bokbot_202104 {\r\nmeta:\r\nauthor = \"Thomas Barabosch, Telekom Security\"\r\ndate = \"2021-04-20\"\r\ndescription = \"fake gzip provided by CC\"\r\nstrings:\r\n$gzip = {1f 8b 08 08 00 00 00 00 00 00 75 70 64 61 74 65}\r\ncondition:\r\n$gzip at 0\r\n}\r\nrule win_iceid_gzip_ldr_202104 {\r\nmeta:\r\nauthor = \"Thomas Barabosch, Telekom Security\"\r\ndate = \"2021-04-12\"\r\ndescription = \"2021 initial Bokbot / Icedid loader for fake GZIP payloads\"\r\nstrings:\r\n$internal_name = \"loader_dll_64.dll\" fullword\r\n$string0 = \"_gat=\" wide\r\n$string1 = \"_ga=\" wide\r\n$string2 = \"_gid=\" wide\r\n$string3 = \"_u=\" wide\r\n$string4 = \"_io=\" wide\r\n$string5 = \"GetAdaptersInfo\" fullword\r\n$string6 = \"WINHTTP.dll\" fullword\r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 15 of 18\n\n$string7 = \"DllRegisterServer\" fullword\r\n$string8 = \"PluginInit\" fullword\r\n$string9 = \"POST\" wide fullword\r\n$string10 = \"aws.amazon.com\" wide fullword\r\ncondition:\r\nuint16(0) == 0x5a4d and\r\nfilesize \u003c 5000KB and\r\n( $internal_name or all of ($s*) )\r\nor all of them\r\n}\r\nrule win_iceid_core_ldr_202104 {\r\nmeta:\r\nauthor = \"Thomas Barabosch, Telekom Security\"\r\ndate = \"2021-04-13\"\r\ndescription = \"2021 loader for Bokbot / Icedid core (license.dat)\"\r\nstrings:\r\n$internal_name = \"sadl_64.dll\" fullword\r\n$string0 = \"GetCommandLineA\" fullword\r\n$string1 = \"LoadLibraryA\" fullword\r\n$string2 = \"ProgramData\" fullword\r\n$string3 = \"SHLWAPI.dll\" fullword\r\n$string4 = \"SHGetFolderPathA\" fullword\r\n$string5 = \"DllRegisterServer\" fullword\r\n$string6 = \"update\" fullword\r\n$string7 = \"SHELL32.dll\" fullword\r\n$string8 = \"CreateThread\" fullword\r\ncondition:\r\nuint16(0) == 0x5a4d and\r\nfilesize \u003c 5000KB and\r\n( $internal_name or all of ($s*) )\r\nor all of them\r\n}\r\nrule win_iceid_core_202104 {\r\nmeta:\r\nauthor = \"Thomas Barabosch, Telekom Security\"\r\ndate = \"2021-04-12\"\r\ndescription = \"2021 Bokbot / Icedid core\"\r\nstrings:\r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 16 of 18\n\n$internal_name = \"fixed_loader64.dll\" fullword\r\n$string0 = \"mail_vault\" wide fullword\r\n$string1 = \"ie_reg\" wide fullword\r\n$string2 = \"outlook\" wide fullword\r\n$string3 = \"user_num\" wide fullword\r\n$string4 = \"cred\" wide fullword\r\n$string5 = \"Authorization: Basic\" fullword\r\n$string6 = \"VaultOpenVault\" fullword\r\n$string7 = \"sqlite3_free\" fullword\r\n$string8 = \"cookie.tar\" fullword\r\n$string9 = \"DllRegisterServer\" fullword\r\n$string10 = \"PT0S\" wide\r\ncondition:\r\nuint16(0) == 0x5a4d and\r\nfilesize \u003c 5000KB and\r\n( $internal_name or all of ($s*) )\r\nor all of them\r\n}\r\nMITRE ATT\u0026CK Techniques \r\nRemote System Discovery – T1018\r\nSecurity Software Discovery – T1518.001\r\nSystem Information Discovery – T1082\r\nSystem Network Configuration Discovery – T1016\r\nDomain Account – T1087.002\r\nDomain Trust Discovery – T1482\r\nApplication Layer Protocol – T1071\r\nIngress Tool Transfer – T1105\r\nPowerShell – T1059.001\r\nScheduled Task/Job – T1053\r\nProcess Injection – T1055\r\nRundll32 – T1218.011\r\nLSASS Memory – T1003.001\r\nSMB/Windows Admin Shares – T1021.002\r\nRemote Desktop Protocol – T1021.001\r\nReferences \r\nIcedID GZIPLOADER Analysis, Binary Defense – https://www.binarydefense.com/icedid-gziploader-analysis/ \r\nIcedDecrypt, Binary Defense – https://github.com/BinaryDefense/IcedDecrypt \r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 17 of 18\n\nSecurity Primer – IcedID, Center for Internet Security, https://www.cisecurity.org/white-papers/security-primer-icedid/ \r\nIcedID YARA Rules, Thomas Barabosch – https://github.com/telekom-security/icedid_analysis \r\nTA551 Pushing IcedID IoCs, Unit42, https://github.com/pan-unit42/tweets/blob/master/2021-05-10-IOCs-for-TA551-pushing-IcedID.txt \r\nAdFind – http://www.joeware.net/freetools/tools/adfind/ \r\nNMap NSE Grab CobaltStrike Configuration, Whickey-R7 – https://github.com/whickey-r7/grab_beacon_config \r\nInternal case 3930\r\nSource: https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nhttps://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/\r\nPage 18 of 18\n\n https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/ \nSecurity Primer -IcedID, Center for Internet Security, https://www.cisecurity.org/white-papers/security\u0002\nprimer-icedid/ \nIcedID YARA Rules, Thomas Barabosch-https://github.com/telekom-security/icedid_analysis \nTA551 Pushing IcedID IoCs, Unit42, https://github.com/pan-unit42/tweets/blob/master/2021-05-10-IOCs\u0002 \nfor-TA551-pushing-IcedID.txt \nAdFind- http://www.joeware.net/freetools/tools/adfind/ \nNMap NSE Grab CobaltStrike Configuration, Whickey-R7-https://github.com/whickey\u0002\nr7/grab_beacon_config \nInternal case 3930 \nSource: https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/ \n Page 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/" ], "report_names": [ "from-word-to-lateral-movement-in-1-hour" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434541, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9e56e0b4dfd862330c7e428c734c1c6c235fa190.pdf", "text": "https://archive.orkl.eu/9e56e0b4dfd862330c7e428c734c1c6c235fa190.txt", "img": "https://archive.orkl.eu/9e56e0b4dfd862330c7e428c734c1c6c235fa190.jpg" } }