Upon execution of the IcedID DLL, a connection to a C2 server was established.
This was followed by the creation of a scheduled task on the beachhead host to establish persistence.
The task executed the IcedID payload every one 1 hour.
The IcedID malware then used Windows utilities such as net, chcp, nltest, and wmic, to perform discovery activity on the host.
After a gap of almost an hour, a Cobalt Strike beacon was dropped and executed on the beachhead host.
Soon after, another round of discovery was performed from the Cobalt Strike beacon focusing on the Windows domain.
Nltest and net group were utilized to look for sensitive groups such as Domain Admins and Enterprise Admins.
Process injection into explorer.exe was then observed from the Cobalt Strike Beacon.
The threat actors proceeded to install remote management tools such as Atera Agent and Splashtop.
Use of these 3rd party administrative tools allow the threat actors another “legitimate” means of persistence and access if they were to lose their malware connection.
In this intrusion, The DFIR Report observed usage of gmail[.]com and outlook[.]com email accounts for Atera agent registration.
Soon after, one of the injected Cobalt Strike processes accessed LSASS memory to dump credentials from the beachhead.
On the sixth day of the intrusion, the beachhead host saw new discovery activity with a quick nltest followed by the PowerView script Invoke-ShareFinder.
On the following day, the seventh day of the intrusion, the threat actors made their next move.
On that day, a new Cobalt Strike server was observed, in fact over the course of the intrusion, four different Cobalt Strike servers were used.
From the beachhead host, a DLL was transferred to a domain controller over SMB and then a remote service was created on the domain controller to execute the Cobalt Strike DLL.
After getting a foothold on the domain controller, The DFIR Report saw more process injection followed by the same pattern of installing Atera for additional persistent access.
From the domain controller, the threat actors proceeded with more discovery tasks including AdFind and Invoke-ShareFinder again.
After this, the threat actors went quiet.
On day nine of the intrusion, the next Cobalt Strike server, which would ultimately be used until the end of the intrusion, was observed for the first time.
On the tenth day, little activity was observed but the threat actors connected to the beachhead host via the Atera agent and executed another Cobalt Strike DLL.
A little discovery check-in was observed on the 14th day, but little else.
On the 19th day, the threat actors moved towards their final objectives.
They reviewed the directory structure of several hosts including domain controllers and backup servers.
They then dropped their final ransomware payload on the beachhead host and attempted to execute it using a batch file named backup.bat.
However, they found that their execution failed.
They left for a few hours, and then returned, and attempted to exploit a couple of CVE’s in an attempt to escalate privileges.
The threat actors had already secured domain admin access but it’s possible the operator may have thought they lacked permissions when their first ransomware execution failed.
While these exploits appear to have failed the threat actors found their previously captured domain admin credentials and launched two new Cobalt Strike beacons on the domain controllers.
Finally, twenty minutes after accessing the domain controllers, the threat actors dropped the ransomware DLL and the batch script and executed it from the domain controller.
This time the execution worked as intended and resulted in domain wide ransomware.