Skip to content
Detecteam
  • CompanyExpand
    • Founders Story
    • The Team
  • ProductExpand
    • About Us
  • SolutionsExpand
    • Use Cases
  • ResourcesExpand
    • Detecteam Blogs
    • Contact Us
Twitter Linkedin
Detecteam
Blog · Scenario

Nokoyawa

Avatar photoByDetecteam 2023-09-282023-09-28

TLP

TLP CLEAR

Author

Jordi M. Lobo, David Deflache, Sebastien Tricaud

Summary

Nokoyawa is a cyber intrusion that began with a malicious Excel document in October 2022. The document triggered macros, leading to the execution of an IcedID DLL payload. The attackers established persistence on the host, deployed Cobalt Strike beacons, escalated privileges, and conducted reconnaissance. They later moved to a Domain Controller and performed network scans and file discovery, indicating their interest in sensitive data. After days of inactivity, the threat actors returned, downloaded external files, and continued lateral movement and discovery. The intrusion ultimately culminated in a ransomware attack, demanding $200,000 in Bitcoin. The entire incident spanned around six days.

TIMELINE

DATA

We are providing data for attacks weekly hoping to contribute raising awareness to threats from their data.

windows_sysmon.xmlDownload

CATEGORY

Ransomware

references

  • https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
  • https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokoyawa-variant

MITRE ATT&CK

Post Tags: #T1003.001 - LSASS Memory#T1016 - System Network Configuration Discovery#T1018 - Remote System Discovery#T1021.001 - Remote Desktop Protocol#T1021.002 - SMB/Windows Admin Shares#T1021.006 - Windows Remote Management#T1036.003 - Rename System Utilities#T1041 - Exfiltration Over C2 Channel#T1047 - Windows Management Instrumentation#T1053.005 - Scheduled Task/Job: Scheduled Task#T1055 - Process Injection#T1059.004 - Command and Scripting Interpreter: Unix Shell#T1059.005 - Command and Scripting Interpreter: Visual Basic#T1070.004 - File Deletion#T1071 - Application Layer Protocol#T1071.001 - Web Protocols#T1078 - Valid Accounts#T1083 - File and Directory Discovery#T1087.001 - Local Account#T1087.002 - Domain Account#T1102 - Web service#T1105 - Ingress Tool Transfer#T1134.001 - Token Impersonation/Theft#T1204.002 - User Execution: Malicious File#T1218.011 - System Binary Proxy Execution: Rundll32#T1219 - Remote Access Software#T1482 - Domain Trust Discovery#T1486 - Data Encrypted for Impact#T1552.001 - Credentials In Files#T1560.001 - Archive via Utility#T1566.001 - Phishing: Spearphishing Attachment
Avatar photo
Detecteam
X

Detecteam is transforming cybersecurity detection from static rule-writing to autonomous, continuous validation. Our REFLEX platform automates the detection lifecycle—building, testing, validating and deploying detections in minutes, not months. We help enterprises maximize ROI on existing tools, close high-risk detection gaps faster, and scale security outcomes without scaling headcount. This is the future of detection-as-code, and we’re leading it.

CONTACT US

Detecteam Inc.
300 Lenora Street PMB 659
Seattle, WA 98121 USA
+1 (650) 542-0831
sales@detecteam.com

  • Privacy Policy

SOCIAL MEDIA

Twitter Linkedin
OUR NEWSLETTER

Check your inbox or spam to confirm your subscription.

© 2025 Detecteam Inc. All Rights Reserved.

  • Company
    • Founders Story
    • The Team
  • Product
    • About Us
  • Solutions
    • Use Cases
  • Resources
    • Detecteam Blogs
    • Contact Us
Search