460daa0c566c507d0e566e66d87636eeb495666380eae6210db0c9902ddefcb4

General

Target

iceix_1.1.9.2.vir.exe
Size

132KB
MD5

ab0656abc30d6a2042c0eeb453a42e28
SHA1

9eae2ae0ece6591f0a5c5195bd2135c1ec3570de
SHA256

460daa0c566c507d0e566e66d87636eeb495666380eae6210db0c9902ddefcb4
SHA512

c5fd77840baf25aed6beae1f2cf98e799ff5df88f2c14bb67408acb79135c3b122a8a21718a2da243d68a37060368b67fb04b714dba5bea2c8fd7eb8e686a09a

Score

8^/10

persistence

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

iceix_1.1.9.2.vir.exe

description pid process target process

PID 1400 set thread context of 1752 1400 iceix_1.1.9.2.vir.exe cmd.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1752 cmd.exe

description	pid	process	target process
PID 1400 set thread context of 1752	1400	iceix_1.1.9.2.vir.exe	cmd.exe

pid	process
1752	cmd.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\21BF18CD-00000001.eml:OECustomProperty	WinMail.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

iceix_1.1.9.2.vir.exeWinMail.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	1400	iceix_1.1.9.2.vir.exe
Token: SeSecurityPrivilege	1400	iceix_1.1.9.2.vir.exe
Token: SeSecurityPrivilege	1400	iceix_1.1.9.2.vir.exe
Token: SeManageVolumePrivilege	1040	WinMail.exe
Token: SeSecurityPrivilege	1752	cmd.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

iceix_1.1.9.2.vir.exeninoyh.exe

description	pid	process	target process
PID 1400 wrote to memory of 1524	1400	iceix_1.1.9.2.vir.exe	ninoyh.exe
PID 1400 wrote to memory of 1524	1400	iceix_1.1.9.2.vir.exe	ninoyh.exe
PID 1400 wrote to memory of 1524	1400	iceix_1.1.9.2.vir.exe	ninoyh.exe
PID 1400 wrote to memory of 1524	1400	iceix_1.1.9.2.vir.exe	ninoyh.exe
PID 1524 wrote to memory of 1132	1524	ninoyh.exe	taskhost.exe
PID 1524 wrote to memory of 1132	1524	ninoyh.exe	taskhost.exe
PID 1524 wrote to memory of 1132	1524	ninoyh.exe	taskhost.exe
PID 1524 wrote to memory of 1132	1524	ninoyh.exe	taskhost.exe
PID 1524 wrote to memory of 1132	1524	ninoyh.exe	taskhost.exe
PID 1524 wrote to memory of 1220	1524	ninoyh.exe	Dwm.exe
PID 1524 wrote to memory of 1220	1524	ninoyh.exe	Dwm.exe
PID 1524 wrote to memory of 1220	1524	ninoyh.exe	Dwm.exe
PID 1524 wrote to memory of 1220	1524	ninoyh.exe	Dwm.exe
PID 1524 wrote to memory of 1220	1524	ninoyh.exe	Dwm.exe
PID 1524 wrote to memory of 1284	1524	ninoyh.exe	Explorer.EXE
PID 1524 wrote to memory of 1284	1524	ninoyh.exe	Explorer.EXE
PID 1524 wrote to memory of 1284	1524	ninoyh.exe	Explorer.EXE
PID 1524 wrote to memory of 1284	1524	ninoyh.exe	Explorer.EXE
PID 1524 wrote to memory of 1284	1524	ninoyh.exe	Explorer.EXE
PID 1524 wrote to memory of 1400	1524	ninoyh.exe	iceix_1.1.9.2.vir.exe
PID 1524 wrote to memory of 1400	1524	ninoyh.exe	iceix_1.1.9.2.vir.exe
PID 1524 wrote to memory of 1400	1524	ninoyh.exe	iceix_1.1.9.2.vir.exe
PID 1524 wrote to memory of 1400	1524	ninoyh.exe	iceix_1.1.9.2.vir.exe
PID 1524 wrote to memory of 1400	1524	ninoyh.exe	iceix_1.1.9.2.vir.exe
PID 1524 wrote to memory of 1040	1524	ninoyh.exe	WinMail.exe
PID 1524 wrote to memory of 1040	1524	ninoyh.exe	WinMail.exe
PID 1524 wrote to memory of 1040	1524	ninoyh.exe	WinMail.exe
PID 1524 wrote to memory of 1040	1524	ninoyh.exe	WinMail.exe
PID 1524 wrote to memory of 1040	1524	ninoyh.exe	WinMail.exe
PID 1400 wrote to memory of 1752	1400	iceix_1.1.9.2.vir.exe	cmd.exe
PID 1400 wrote to memory of 1752	1400	iceix_1.1.9.2.vir.exe	cmd.exe
PID 1400 wrote to memory of 1752	1400	iceix_1.1.9.2.vir.exe	cmd.exe
PID 1400 wrote to memory of 1752	1400	iceix_1.1.9.2.vir.exe	cmd.exe
PID 1400 wrote to memory of 1752	1400	iceix_1.1.9.2.vir.exe	cmd.exe
PID 1400 wrote to memory of 1752	1400	iceix_1.1.9.2.vir.exe	cmd.exe
PID 1400 wrote to memory of 1752	1400	iceix_1.1.9.2.vir.exe	cmd.exe
PID 1400 wrote to memory of 1752	1400	iceix_1.1.9.2.vir.exe	cmd.exe
PID 1400 wrote to memory of 1752	1400	iceix_1.1.9.2.vir.exe	cmd.exe
PID 1524 wrote to memory of 1300	1524	ninoyh.exe	DllHost.exe
PID 1524 wrote to memory of 1300	1524	ninoyh.exe	DllHost.exe
PID 1524 wrote to memory of 1300	1524	ninoyh.exe	DllHost.exe
PID 1524 wrote to memory of 1300	1524	ninoyh.exe	DllHost.exe
PID 1524 wrote to memory of 1300	1524	ninoyh.exe	DllHost.exe
PID 1524 wrote to memory of 1944	1524	ninoyh.exe	DllHost.exe
PID 1524 wrote to memory of 1944	1524	ninoyh.exe	DllHost.exe
PID 1524 wrote to memory of 1944	1524	ninoyh.exe	DllHost.exe
PID 1524 wrote to memory of 1944	1524	ninoyh.exe	DllHost.exe
PID 1524 wrote to memory of 1944	1524	ninoyh.exe	DllHost.exe
PID 1524 wrote to memory of 560	1524	ninoyh.exe	DllHost.exe
PID 1524 wrote to memory of 560	1524	ninoyh.exe	DllHost.exe
PID 1524 wrote to memory of 560	1524	ninoyh.exe	DllHost.exe
PID 1524 wrote to memory of 560	1524	ninoyh.exe	DllHost.exe
PID 1524 wrote to memory of 560	1524	ninoyh.exe	DllHost.exe

Executes dropped EXE 1 IoCs

Processes:

ninoyh.exe

pid process

1524 ninoyh.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1040 WinMail.exe
Loads dropped DLL 2 IoCs

Processes:

iceix_1.1.9.2.vir.exe

pid process

1400 iceix_1.1.9.2.vir.exe
1400 iceix_1.1.9.2.vir.exe

pid	process
1040	WinMail.exe

pid	process
1400	iceix_1.1.9.2.vir.exe
1400	iceix_1.1.9.2.vir.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

ninoyh.exe

pid	process
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe
1524	ninoyh.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

iceix_1.1.9.2.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy	iceix_1.1.9.2.vir.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	iceix_1.1.9.2.vir.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ninoyh.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run	ninoyh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{AD271FAD-BB2C-7D5D-1F5C-56656681EE8B} = "C:\\Users\\Admin\\AppData\\Roaming\\Cyobovy\\ninoyh.exe"	ninoyh.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\iceix_1.1.9.2.vir.exe
"C:\Users\Admin\AppData\Local\Temp\iceix_1.1.9.2.vir.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Modifies Internet Explorer settings
PID:1400

C:\Users\Admin\AppData\Roaming\Cyobovy\ninoyh.exe
"C:\Users\Admin\AppData\Roaming\Cyobovy\ninoyh.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa3b05987.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1300

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1944

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa3b05987.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Cyobovy\ninoyh.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Cyobovy\ninoyh.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Itd\ezagmil.ymi

Download Submit
\Users\Admin\AppData\Roaming\Cyobovy\ninoyh.exe

Download Submit
\Users\Admin\AppData\Roaming\Cyobovy\ninoyh.exe

Download Submit
memory/1040-15-0x0000000003AD0000-0x0000000003AD2000-memory.dmp

Filesize
8KB

Download
memory/1040-20-0x0000000003C60000-0x0000000003C62000-memory.dmp

Filesize
8KB

Download
memory/1040-10-0x00000000038C0000-0x0000000003AC0000-memory.dmp

Filesize
2.0MB

Download
memory/1040-11-0x00000000039C0000-0x0000000003AC0000-memory.dmp

Filesize
1024KB

Download
memory/1040-7-0x00000000038C0000-0x0000000003AC0000-memory.dmp

Filesize
2.0MB

Download
memory/1040-16-0x0000000003AE0000-0x0000000003AE2000-memory.dmp

Filesize
8KB

Download
memory/1040-17-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/1040-18-0x0000000003FC0000-0x0000000003FC2000-memory.dmp

Filesize
8KB

Download
memory/1040-19-0x0000000003F80000-0x0000000003F82000-memory.dmp

Filesize
8KB

Download
memory/1040-9-0x00000000038C0000-0x00000000039C0000-memory.dmp

Filesize
1024KB

Download
memory/1040-21-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/1040-22-0x0000000003AF0000-0x0000000003AF2000-memory.dmp

Filesize
8KB

Download
memory/1040-23-0x0000000003F80000-0x0000000003F82000-memory.dmp

Filesize
8KB

Download
memory/1040-5-0x00000000038C0000-0x00000000039C0000-memory.dmp

Filesize
1024KB

Download
memory/1524-2-0x0000000000000000-mapping.dmp

Download
memory/1752-24-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1752-26-0x0000000000055B3D-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads