Analysis
-
max time kernel
151s -
max time network
89s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:51
Static task
static1
Behavioral task
behavioral1
Sample
iceix_1.1.5.0.vir.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
iceix_1.1.5.0.vir.exe
Resource
win10
General
-
Target
iceix_1.1.5.0.vir.exe
-
Size
253KB
-
MD5
a5fb8563ce0eced343a7b9a3b4a6d915
-
SHA1
04a3fdf64b80099623856bc5bef35af2fa55601c
-
SHA256
70e1d2fba60a7d20e531b09ff328fef21b82bb7e87d78a48f964d82c7dd2680f
-
SHA512
9992e37f7b0f34f9d2f792b16fe4e635e4e7ec8c7c9e2679253332acba89407082601a724010506190b510e614b30c23168d6be7707f9884b599e0d308f69bd6
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
iceix_1.1.5.0.vir.exetysovo.exedescription pid process target process PID 1400 wrote to memory of 1592 1400 iceix_1.1.5.0.vir.exe tysovo.exe PID 1400 wrote to memory of 1592 1400 iceix_1.1.5.0.vir.exe tysovo.exe PID 1400 wrote to memory of 1592 1400 iceix_1.1.5.0.vir.exe tysovo.exe PID 1400 wrote to memory of 1592 1400 iceix_1.1.5.0.vir.exe tysovo.exe PID 1592 wrote to memory of 1132 1592 tysovo.exe taskhost.exe PID 1592 wrote to memory of 1132 1592 tysovo.exe taskhost.exe PID 1592 wrote to memory of 1132 1592 tysovo.exe taskhost.exe PID 1592 wrote to memory of 1132 1592 tysovo.exe taskhost.exe PID 1592 wrote to memory of 1132 1592 tysovo.exe taskhost.exe PID 1592 wrote to memory of 1220 1592 tysovo.exe Dwm.exe PID 1592 wrote to memory of 1220 1592 tysovo.exe Dwm.exe PID 1592 wrote to memory of 1220 1592 tysovo.exe Dwm.exe PID 1592 wrote to memory of 1220 1592 tysovo.exe Dwm.exe PID 1592 wrote to memory of 1220 1592 tysovo.exe Dwm.exe PID 1592 wrote to memory of 1284 1592 tysovo.exe Explorer.EXE PID 1592 wrote to memory of 1284 1592 tysovo.exe Explorer.EXE PID 1592 wrote to memory of 1284 1592 tysovo.exe Explorer.EXE PID 1592 wrote to memory of 1284 1592 tysovo.exe Explorer.EXE PID 1592 wrote to memory of 1284 1592 tysovo.exe Explorer.EXE PID 1592 wrote to memory of 1400 1592 tysovo.exe iceix_1.1.5.0.vir.exe PID 1592 wrote to memory of 1400 1592 tysovo.exe iceix_1.1.5.0.vir.exe PID 1592 wrote to memory of 1400 1592 tysovo.exe iceix_1.1.5.0.vir.exe PID 1592 wrote to memory of 1400 1592 tysovo.exe iceix_1.1.5.0.vir.exe PID 1592 wrote to memory of 1400 1592 tysovo.exe iceix_1.1.5.0.vir.exe PID 1592 wrote to memory of 1056 1592 tysovo.exe WinMail.exe PID 1592 wrote to memory of 1056 1592 tysovo.exe WinMail.exe PID 1592 wrote to memory of 1056 1592 tysovo.exe WinMail.exe PID 1592 wrote to memory of 1056 1592 tysovo.exe WinMail.exe PID 1592 wrote to memory of 1056 1592 tysovo.exe WinMail.exe PID 1400 wrote to memory of 1296 1400 iceix_1.1.5.0.vir.exe cmd.exe PID 1400 wrote to memory of 1296 1400 iceix_1.1.5.0.vir.exe cmd.exe PID 1400 wrote to memory of 1296 1400 iceix_1.1.5.0.vir.exe cmd.exe PID 1400 wrote to memory of 1296 1400 iceix_1.1.5.0.vir.exe cmd.exe PID 1400 wrote to memory of 1296 1400 iceix_1.1.5.0.vir.exe cmd.exe PID 1400 wrote to memory of 1296 1400 iceix_1.1.5.0.vir.exe cmd.exe PID 1400 wrote to memory of 1296 1400 iceix_1.1.5.0.vir.exe cmd.exe PID 1400 wrote to memory of 1296 1400 iceix_1.1.5.0.vir.exe cmd.exe PID 1400 wrote to memory of 1296 1400 iceix_1.1.5.0.vir.exe cmd.exe PID 1592 wrote to memory of 1580 1592 tysovo.exe DllHost.exe PID 1592 wrote to memory of 1580 1592 tysovo.exe DllHost.exe PID 1592 wrote to memory of 1580 1592 tysovo.exe DllHost.exe PID 1592 wrote to memory of 1580 1592 tysovo.exe DllHost.exe PID 1592 wrote to memory of 1580 1592 tysovo.exe DllHost.exe PID 1592 wrote to memory of 904 1592 tysovo.exe DllHost.exe PID 1592 wrote to memory of 904 1592 tysovo.exe DllHost.exe PID 1592 wrote to memory of 904 1592 tysovo.exe DllHost.exe PID 1592 wrote to memory of 904 1592 tysovo.exe DllHost.exe PID 1592 wrote to memory of 904 1592 tysovo.exe DllHost.exe PID 1592 wrote to memory of 1080 1592 tysovo.exe DllHost.exe PID 1592 wrote to memory of 1080 1592 tysovo.exe DllHost.exe PID 1592 wrote to memory of 1080 1592 tysovo.exe DllHost.exe PID 1592 wrote to memory of 1080 1592 tysovo.exe DllHost.exe PID 1592 wrote to memory of 1080 1592 tysovo.exe DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WinMail.exepid process 1056 WinMail.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
tysovo.exeiceix_1.1.5.0.vir.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 tysovo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum iceix_1.1.5.0.vir.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 iceix_1.1.5.0.vir.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum tysovo.exe -
Processes:
iceix_1.1.5.0.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy iceix_1.1.5.0.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" iceix_1.1.5.0.vir.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
tysovo.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run tysovo.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{B18389F5-6F94-272C-75BC-36F0FBF17293} = "C:\\Users\\Admin\\AppData\\Roaming\\Faho\\tysovo.exe" tysovo.exe -
Loads dropped DLL 1 IoCs
Processes:
iceix_1.1.5.0.vir.exepid process 1400 iceix_1.1.5.0.vir.exe -
Executes dropped EXE 1 IoCs
Processes:
tysovo.exepid process 1592 tysovo.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
tysovo.exepid process 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe 1592 tysovo.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
iceix_1.1.5.0.vir.exedescription pid process target process PID 1400 set thread context of 1296 1400 iceix_1.1.5.0.vir.exe cmd.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1296 cmd.exe -
NTFS ADS 1 IoCs
Processes:
WinMail.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\330D2D3D-00000001.eml:OECustomProperty WinMail.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
iceix_1.1.5.0.vir.exeWinMail.execmd.exedescription pid process Token: SeSecurityPrivilege 1400 iceix_1.1.5.0.vir.exe Token: SeSecurityPrivilege 1400 iceix_1.1.5.0.vir.exe Token: SeSecurityPrivilege 1400 iceix_1.1.5.0.vir.exe Token: SeManageVolumePrivilege 1056 WinMail.exe Token: SeSecurityPrivilege 1296 cmd.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\iceix_1.1.5.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\iceix_1.1.5.0.vir.exe"2⤵
- Suspicious use of WriteProcessMemory
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Faho\tysovo.exe"C:\Users\Admin\AppData\Roaming\Faho\tysovo.exe"3⤵
- Suspicious use of WriteProcessMemory
- Maps connected drives based on registry
- Adds Run key to start application
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp988ed339.bat"3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp988ed339.bat
-
C:\Users\Admin\AppData\Roaming\Faho\tysovo.exe
-
C:\Users\Admin\AppData\Roaming\Faho\tysovo.exe
-
C:\Users\Admin\AppData\Roaming\Fydo\iqywes.vey
-
\Users\Admin\AppData\Roaming\Faho\tysovo.exe
-
memory/1056-26-0x00000000024D0000-0x00000000024D2000-memory.dmpFilesize
8KB
-
memory/1056-21-0x00000000040D0000-0x00000000040D2000-memory.dmpFilesize
8KB
-
memory/1056-9-0x00000000039F0000-0x0000000003BF0000-memory.dmpFilesize
2.0MB
-
memory/1056-10-0x0000000003AF0000-0x0000000003BF0000-memory.dmpFilesize
1024KB
-
memory/1056-14-0x00000000024D0000-0x00000000024D2000-memory.dmpFilesize
8KB
-
memory/1056-15-0x00000000024E0000-0x00000000024E2000-memory.dmpFilesize
8KB
-
memory/1056-16-0x00000000024F0000-0x00000000024F2000-memory.dmpFilesize
8KB
-
memory/1056-32-0x0000000004230000-0x0000000004232000-memory.dmpFilesize
8KB
-
memory/1056-6-0x00000000039F0000-0x0000000003BF0000-memory.dmpFilesize
2.0MB
-
memory/1056-31-0x0000000004140000-0x0000000004142000-memory.dmpFilesize
8KB
-
memory/1056-20-0x00000000035C0000-0x00000000035C2000-memory.dmpFilesize
8KB
-
memory/1056-8-0x00000000039F0000-0x0000000003AF0000-memory.dmpFilesize
1024KB
-
memory/1056-22-0x0000000003600000-0x0000000003602000-memory.dmpFilesize
8KB
-
memory/1056-23-0x0000000003600000-0x0000000003602000-memory.dmpFilesize
8KB
-
memory/1056-24-0x0000000003640000-0x0000000003642000-memory.dmpFilesize
8KB
-
memory/1056-25-0x0000000003600000-0x0000000003602000-memory.dmpFilesize
8KB
-
memory/1056-4-0x00000000039F0000-0x0000000003AF0000-memory.dmpFilesize
1024KB
-
memory/1056-27-0x00000000041E0000-0x00000000041E2000-memory.dmpFilesize
8KB
-
memory/1056-28-0x0000000004200000-0x0000000004202000-memory.dmpFilesize
8KB
-
memory/1056-29-0x00000000041F0000-0x00000000041F2000-memory.dmpFilesize
8KB
-
memory/1056-30-0x0000000004210000-0x0000000004212000-memory.dmpFilesize
8KB
-
memory/1296-19-0x000000000006A4AB-mapping.dmp
-
memory/1296-17-0x0000000000050000-0x0000000000077000-memory.dmpFilesize
156KB
-
memory/1592-1-0x0000000000000000-mapping.dmp