Summary

Craig Alda (craig.alda, DESKTOP-JH1UZAE$, HewlettP_1c:47:ae (00:08:02:1c:47:ae), Windows 10) was compromised by IcedID at 00:26 on 13/11/2020 UTC and then CobaltStrike at 09:39.

Timeline

00:26:49: first malicious GET request, 302 redirect to download 3.dll [IcedID]

00:28:05: first traffic to lezasopedrill.cyou at 143.110.191.95:433

00:29:14: last traffic to lezasopedrill.cyou at 143.110.191.95:433

00:30:03: first traffic to timerdisclaimer.tw at 198.211.99.24:433

00:33:13: last traffic to timerdisclaimer.tw at 198.211.99.24:433

00:32:12: first traffic to compactmuslimdeport.pw at 198.211.99.24:433

01:26:XX: syuHKYt/vFPKnDV/VSMecyU.dll last modified

01:28:XX: Users/craig.alda/AppData/Local/Temp/~2457218.tmp last modified

01:29:XX: Users/craig.alda/AppData/Local/Temp/~2559312.dll last modified

01:30:XX: Users/craig.alda/AppData/Roaming/Exijopac/uwsida3/baipuyac.png last modified

01:31:XX: Users/craig.alda/AppData/Roaming/craig.alda/Maaywuku2.dll last modified

01:32:XX: Users/craig.alda/AppData/Local/Temp/sqlite64.dll last modified

09:39:07: download winnit.exe [Cobaltstrike] from 185.141.24.71:80

09:40:12: first GET /update.rss to webintercom76delivery.net at 185.141.24.71:80 (77 total, last 09:49:01)

09:42:35: first POST /submit.php?id=123429382 to webintercom76delivery.net at 185.141.24.71:80 (14 total, last 09:49:01)

09:45:00: 192.168.200.8 ping scans 10.0.0.0/24, 192.168.0.0/24, 192.211.99.0/24