Analysis
-
max time kernel
151s -
max time network
87s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 17:14
Static task
static1
Behavioral task
behavioral1
Sample
iceix_1.1.9.2.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
iceix_1.1.9.2.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
iceix_1.1.9.2.vir.exe
-
Size
132KB
-
MD5
ab0656abc30d6a2042c0eeb453a42e28
-
SHA1
9eae2ae0ece6591f0a5c5195bd2135c1ec3570de
-
SHA256
460daa0c566c507d0e566e66d87636eeb495666380eae6210db0c9902ddefcb4
-
SHA512
c5fd77840baf25aed6beae1f2cf98e799ff5df88f2c14bb67408acb79135c3b122a8a21718a2da243d68a37060368b67fb04b714dba5bea2c8fd7eb8e686a09a
Score
8/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
iceix_1.1.9.2.vir.exedescription pid process target process PID 1400 set thread context of 1752 1400 iceix_1.1.9.2.vir.exe cmd.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1752 cmd.exe -
NTFS ADS 1 IoCs
Processes:
WinMail.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\21BF18CD-00000001.eml:OECustomProperty WinMail.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
iceix_1.1.9.2.vir.exeWinMail.execmd.exedescription pid process Token: SeSecurityPrivilege 1400 iceix_1.1.9.2.vir.exe Token: SeSecurityPrivilege 1400 iceix_1.1.9.2.vir.exe Token: SeSecurityPrivilege 1400 iceix_1.1.9.2.vir.exe Token: SeManageVolumePrivilege 1040 WinMail.exe Token: SeSecurityPrivilege 1752 cmd.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
iceix_1.1.9.2.vir.exeninoyh.exedescription pid process target process PID 1400 wrote to memory of 1524 1400 iceix_1.1.9.2.vir.exe ninoyh.exe PID 1400 wrote to memory of 1524 1400 iceix_1.1.9.2.vir.exe ninoyh.exe PID 1400 wrote to memory of 1524 1400 iceix_1.1.9.2.vir.exe ninoyh.exe PID 1400 wrote to memory of 1524 1400 iceix_1.1.9.2.vir.exe ninoyh.exe PID 1524 wrote to memory of 1132 1524 ninoyh.exe taskhost.exe PID 1524 wrote to memory of 1132 1524 ninoyh.exe taskhost.exe PID 1524 wrote to memory of 1132 1524 ninoyh.exe taskhost.exe PID 1524 wrote to memory of 1132 1524 ninoyh.exe taskhost.exe PID 1524 wrote to memory of 1132 1524 ninoyh.exe taskhost.exe PID 1524 wrote to memory of 1220 1524 ninoyh.exe Dwm.exe PID 1524 wrote to memory of 1220 1524 ninoyh.exe Dwm.exe PID 1524 wrote to memory of 1220 1524 ninoyh.exe Dwm.exe PID 1524 wrote to memory of 1220 1524 ninoyh.exe Dwm.exe PID 1524 wrote to memory of 1220 1524 ninoyh.exe Dwm.exe PID 1524 wrote to memory of 1284 1524 ninoyh.exe Explorer.EXE PID 1524 wrote to memory of 1284 1524 ninoyh.exe Explorer.EXE PID 1524 wrote to memory of 1284 1524 ninoyh.exe Explorer.EXE PID 1524 wrote to memory of 1284 1524 ninoyh.exe Explorer.EXE PID 1524 wrote to memory of 1284 1524 ninoyh.exe Explorer.EXE PID 1524 wrote to memory of 1400 1524 ninoyh.exe iceix_1.1.9.2.vir.exe PID 1524 wrote to memory of 1400 1524 ninoyh.exe iceix_1.1.9.2.vir.exe PID 1524 wrote to memory of 1400 1524 ninoyh.exe iceix_1.1.9.2.vir.exe PID 1524 wrote to memory of 1400 1524 ninoyh.exe iceix_1.1.9.2.vir.exe PID 1524 wrote to memory of 1400 1524 ninoyh.exe iceix_1.1.9.2.vir.exe PID 1524 wrote to memory of 1040 1524 ninoyh.exe WinMail.exe PID 1524 wrote to memory of 1040 1524 ninoyh.exe WinMail.exe PID 1524 wrote to memory of 1040 1524 ninoyh.exe WinMail.exe PID 1524 wrote to memory of 1040 1524 ninoyh.exe WinMail.exe PID 1524 wrote to memory of 1040 1524 ninoyh.exe WinMail.exe PID 1400 wrote to memory of 1752 1400 iceix_1.1.9.2.vir.exe cmd.exe PID 1400 wrote to memory of 1752 1400 iceix_1.1.9.2.vir.exe cmd.exe PID 1400 wrote to memory of 1752 1400 iceix_1.1.9.2.vir.exe cmd.exe PID 1400 wrote to memory of 1752 1400 iceix_1.1.9.2.vir.exe cmd.exe PID 1400 wrote to memory of 1752 1400 iceix_1.1.9.2.vir.exe cmd.exe PID 1400 wrote to memory of 1752 1400 iceix_1.1.9.2.vir.exe cmd.exe PID 1400 wrote to memory of 1752 1400 iceix_1.1.9.2.vir.exe cmd.exe PID 1400 wrote to memory of 1752 1400 iceix_1.1.9.2.vir.exe cmd.exe PID 1400 wrote to memory of 1752 1400 iceix_1.1.9.2.vir.exe cmd.exe PID 1524 wrote to memory of 1300 1524 ninoyh.exe DllHost.exe PID 1524 wrote to memory of 1300 1524 ninoyh.exe DllHost.exe PID 1524 wrote to memory of 1300 1524 ninoyh.exe DllHost.exe PID 1524 wrote to memory of 1300 1524 ninoyh.exe DllHost.exe PID 1524 wrote to memory of 1300 1524 ninoyh.exe DllHost.exe PID 1524 wrote to memory of 1944 1524 ninoyh.exe DllHost.exe PID 1524 wrote to memory of 1944 1524 ninoyh.exe DllHost.exe PID 1524 wrote to memory of 1944 1524 ninoyh.exe DllHost.exe PID 1524 wrote to memory of 1944 1524 ninoyh.exe DllHost.exe PID 1524 wrote to memory of 1944 1524 ninoyh.exe DllHost.exe PID 1524 wrote to memory of 560 1524 ninoyh.exe DllHost.exe PID 1524 wrote to memory of 560 1524 ninoyh.exe DllHost.exe PID 1524 wrote to memory of 560 1524 ninoyh.exe DllHost.exe PID 1524 wrote to memory of 560 1524 ninoyh.exe DllHost.exe PID 1524 wrote to memory of 560 1524 ninoyh.exe DllHost.exe -
Executes dropped EXE 1 IoCs
Processes:
ninoyh.exepid process 1524 ninoyh.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WinMail.exepid process 1040 WinMail.exe -
Loads dropped DLL 2 IoCs
Processes:
iceix_1.1.9.2.vir.exepid process 1400 iceix_1.1.9.2.vir.exe 1400 iceix_1.1.9.2.vir.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
ninoyh.exepid process 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe 1524 ninoyh.exe -
Processes:
iceix_1.1.9.2.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy iceix_1.1.9.2.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" iceix_1.1.9.2.vir.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ninoyh.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run ninoyh.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{AD271FAD-BB2C-7D5D-1F5C-56656681EE8B} = "C:\\Users\\Admin\\AppData\\Roaming\\Cyobovy\\ninoyh.exe" ninoyh.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\iceix_1.1.9.2.vir.exe"C:\Users\Admin\AppData\Local\Temp\iceix_1.1.9.2.vir.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Roaming\Cyobovy\ninoyh.exe"C:\Users\Admin\AppData\Roaming\Cyobovy\ninoyh.exe"3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa3b05987.bat"3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpa3b05987.bat
-
C:\Users\Admin\AppData\Roaming\Cyobovy\ninoyh.exe
-
C:\Users\Admin\AppData\Roaming\Cyobovy\ninoyh.exe
-
C:\Users\Admin\AppData\Roaming\Itd\ezagmil.ymi
-
\Users\Admin\AppData\Roaming\Cyobovy\ninoyh.exe
-
\Users\Admin\AppData\Roaming\Cyobovy\ninoyh.exe
-
memory/1040-15-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1040-20-0x0000000003C60000-0x0000000003C62000-memory.dmpFilesize
8KB
-
memory/1040-10-0x00000000038C0000-0x0000000003AC0000-memory.dmpFilesize
2.0MB
-
memory/1040-11-0x00000000039C0000-0x0000000003AC0000-memory.dmpFilesize
1024KB
-
memory/1040-7-0x00000000038C0000-0x0000000003AC0000-memory.dmpFilesize
2.0MB
-
memory/1040-16-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/1040-17-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/1040-18-0x0000000003FC0000-0x0000000003FC2000-memory.dmpFilesize
8KB
-
memory/1040-19-0x0000000003F80000-0x0000000003F82000-memory.dmpFilesize
8KB
-
memory/1040-9-0x00000000038C0000-0x00000000039C0000-memory.dmpFilesize
1024KB
-
memory/1040-21-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/1040-22-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/1040-23-0x0000000003F80000-0x0000000003F82000-memory.dmpFilesize
8KB
-
memory/1040-5-0x00000000038C0000-0x00000000039C0000-memory.dmpFilesize
1024KB
-
memory/1524-2-0x0000000000000000-mapping.dmp
-
memory/1752-24-0x0000000000050000-0x0000000000077000-memory.dmpFilesize
156KB
-
memory/1752-26-0x0000000000055B3D-mapping.dmp