216.73.217.22

From IcedID to Dagon Locker Ransomware in 29 Days

· Published 29/04/2024 17:23 · Modified 01/05/2024 23:05

Export JSON

Essential information

Published
29/04/2024 17:23
Modified
01/05/2024 23:05
Tags
access token adfind anydesk aws collector cobalt strike discovery domain account encrypted icedid manipulation modify system powershell prometheustds rclone seatbelt sharefinder shell utility
Related entities
33 observables, 33 techniques (mitre), 2 malware

Description

This intrusion started in August 2023 with a phishing campaign that distributed malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (33)

  • 87.251.67.168
  • 51.89.133.3
  • 45.15.161.97
  • 194.58.68.187
  • 159.89.124.188
  • 151.236.9.176
  • 151.236.9.166
  • 159.223.95.82
  • 143.110.245.38
  • 23.159.160.88
  • http://87.251.67.168:443
  • http://194.58.68.187:443
  • http://159.89.124.188:443
  • http://159.223.95.82:443
  • http://151.236.9.176:443
  • http://151.236.9.166:443
  • http://143.110.245.38:443
  • winupdate.us.to
  • ultrascihictur.com
  • rpgmagglader.com
  • restohalto.site
  • patricammote.com
  • oopscokir.com
  • moashraya.com
  • magiraptoy.com
  • fraktomaam.com
  • ewacootili.com
  • f6e5dbff14ef272ce07743887a16decbee2607f512ff2a9045415c8e0c05dbb4
  • a0191a300263167506b9b5d99575c4049a778d1a8ded71dcb8072e87f5f0bbcf
  • 9da84133ed36960523e3c332189eca71ca42d847e2e79b78d182da8da4546830
  • 839cf7905dc3337bebe7f8ba127961e6cd40c52ec3a1e09084c9c1ccd202418e
  • 65edf9bc2c15ef125ff58ac597125b040c487640860d84eea93b9ef6b5bb8ca6
  • 332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953

Techniques (MITRE) (33)

  • T1069
    Permission Groups Discovery
  • T1039
    Data from Network Shared Drive
  • T1135
    Network Share Discovery
  • T1490
    Inhibit System Recovery
  • T1482
    Domain Trust Discovery
  • T1124
    System Time Discovery
  • T1136
    Create Account
  • T1567
    Exfiltration Over Web Service
  • T1614
    System Location Discovery
  • T1552
    Unsecured Credentials
  • T1087
    Account Discovery
  • T1021
    Remote Services
  • T1573
    Encrypted Channel
  • T1489
    Service Stop
  • T1486
    Data Encrypted for Impact
  • T1218
    System Binary Proxy Execution
  • T1082
    System Information Discovery
  • T1105
    Ingress Tool Transfer
  • T1083
    File and Directory Discovery
  • T1071
    Application Layer Protocol
  • T1047
    Windows Management Instrumentation
  • T1055
    Process Injection
  • T1020
    Automated Exfiltration
  • T1219
    Remote Access Tools
  • T1134
    Access Token Manipulation
  • T1204
    User Execution
  • T1033
    System Owner/User Discovery
  • T1027
    Obfuscated Files or Information
  • T1560
    Archive Collected Data
  • T1053
    Scheduled Task/Job
  • T1562
    Impair Defenses
  • T1003
    OS Credential Dumping
  • T1059
    Command and Scripting Interpreter

Malware (2)

  • IcedID
    Family
    Published 29/04/2024 19:15 · Modified 29/04/2024 19:15
  • Cobalt Strike
    Family
    Published 16/12/2024 14:25 · Modified 16/12/2024 14:25

External references