← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
An Ice Cold Intrusion
WHITE AlienVault 2024-04-04 Modified: 2024-05-04
38
IOCs
MEDIUM VOLUME
This report details a sophisticated cyber attack where threat actors gained initial access through a phishing campaign distributing malicious OneNote attachments. They delivered the IcedID malware, which maintained persistence for over a month before deploying Cobalt Strike beacons. The actors leveraged RDP, AnyDesk, and credential access to move laterally, exfiltrate data using FileZilla, and ultimately deploy Nokoyawa ransomware on critical servers, causing significant impact.
phishinglateral movementransomwarecobalt strikenokoyawaexfiltrationicedid
MITRE ATT&CK & Malware Families
MALWARE FAMILIES
IcedID - S0483 Cobalt Strike - S0154 Nokoyawa
Indicators of Compromise (38)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
URL http://mrassociattes.com/images/62.gif 2024-04-04
FileHash-MD5 f927cd4f40c7a6dad769a8f9af771a8c 2024-04-04
FileHash-SHA1 0fdfef7c9cc4305df81b006e898e1592aa822437 2024-04-04
FileHash-SHA256 06bbb36baf63bc5cb14d7f097745955a4854a62fa3acef4d80c61b4fa002c542 2024-04-04
FileHash-MD5 5f4d630ef00656726401b205ae4dc88f 2024-04-04
FileHash-MD5 76a1f94ed6499b99d2cc500998846875 2024-04-04
FileHash-MD5 8800e6f1501f69a0a04ce709e9fa251c 2024-04-04
FileHash-MD5 a59a7916156c52f732b4c2e321facfe1 2024-04-04
FileHash-MD5 b1f5e4774aa79f643350218df61e33f6 2024-04-04
FileHash-MD5 c561c2cdad206b6ed8469079e037e3f9 2024-04-04
FileHash-MD5 d1da347e78bf043e2dc61638e946c3da 2024-04-04
FileHash-SHA1 72a1c9ea93d18309769d8be5cdb3daedf1cddcf5 2024-04-04
FileHash-SHA1 8c949a7769d16c285347f650ef2eedac01dc1805 2024-04-04
FileHash-SHA1 aa8f2d6d98aa535e05685076ca02f781c2aa6464 2024-04-04
FileHash-SHA1 ca14d61bcf038cda45199f54c7c452ad262a7c88 2024-04-04
FileHash-SHA1 d87a3c22771b1106a1a52d96df7b2944d93fa184 2024-04-04
FileHash-SHA1 f1e7994c6568f0182a60f64557c7793df5e550ed 2024-04-04
FileHash-SHA256 1ab812f7d829444dc703eeb02ea0a955ec839d5e2a9b619d44ac09a91135cad1 2024-04-04
FileHash-SHA256 3c9f4145e310f616bd5e36ca177a3f370edc13cf2d54bb87fe99972ecf3f09b4 2024-04-04
FileHash-SHA256 9c337d27dab65fc3f4b88666338e13416f218ab75c4b5e37cc396241c225efe8 2024-04-04
FileHash-SHA256 b378c2aa759625de2ad1be2c4045381d7474b82df7eb47842dc194bb9a134f76 2024-04-04
FileHash-SHA256 d6127d614309acbf2a630fe3fb0fda8e4079dcf2045f91aa400d179751d425f7 2024-04-04
FileHash-SHA256 eae2bce6341ff7059b9382bfa0e0daa337ea9948dd729c0c1e1ee9c11c1c0068 2024-04-04
URL http://152.89.196.49:61384 2024-04-04
URL http://91.215.85.183/download/csrss.exe 2024-04-04
URL http://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion/ 2024-04-04
URL http://nokoleakb76znymx443veg4n6fytx6spck6pc7nkr4dvfuygpub6jsid.onion/ 2024-04-04
URL http://snatchteam.top 2024-04-04
domain aerilaponawki.com 2024-04-04
domain alishaskainz.com 2024-04-04
domain halicopnow.com 2024-04-04
domain hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion 2024-04-04
domain klindriverfor.com 2024-04-04
domain mrassociattes.com 2024-04-04
domain msc-mvc-updates.com 2024-04-04
domain nokoleakb76znymx443veg4n6fytx6spck6pc7nkr4dvfuygpub6jsid.onion 2024-04-04
domain sigmasearchengine.com 2024-04-04
domain snatchteam.top 2024-04-04
References (1)
↗ https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/