Overview

overview

8

Static

static

8

iceix_1.0.5.0.vir.exe

windows7_x64

8

iceix_1.0.5.0.vir.exe

windows10_x64

3

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    19-07-2020 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    iceix_1.0.5.0.vir.exe

  • Size

    194KB

  • MD5

    3f184bb7936b3c7b0f8f73ca1bc492b4

  • SHA1

    20c77250d17f70068836f891e0c77aeb69a001c1

  • SHA256

    4fdaee1072210091799af73f630e0eb993a1d2d42005dc096d1422d9924f1ad5

  • SHA512

    d6e3ad4da3a9fb175c097937f9cfc0bb913bb4d82385c1f038ff690a1b007435884945b7841e9b4f6ee4b927f3e696c8ca6211330dd645bb2d768ab0de70f64d

Score
8/10
persistence

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Deletes itself 1 IoCs
  • NTFS ADS 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1124
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1212
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1264
          • C:\Users\Admin\AppData\Local\Temp\iceix_1.0.5.0.vir.exe
            "C:\Users\Admin\AppData\Local\Temp\iceix_1.0.5.0.vir.exe"
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of AdjustPrivilegeToken
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            • Suspicious use of SetThreadContext
            PID:1144
            • C:\Users\Admin\AppData\Roaming\Imci\otivelq.exe
              "C:\Users\Admin\AppData\Roaming\Imci\otivelq.exe"
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              • Executes dropped EXE
              • Adds Run key to start application
              PID:840
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc0610b10.bat"
              3⤵
              • Deletes itself
              PID:1864
        • C:\Program Files\Windows Mail\WinMail.exe
          "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
          1⤵
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of SendNotifyMessage
          • NTFS ADS
          PID:1464
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1928
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:580

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            2
            T1112

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpc0610b10.bat
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Buupas\damuaf.gey
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Imci\otivelq.exe
              Download Submit
            • C:\Users\Admin\AppData\Roaming\Imci\otivelq.exe
              Download Submit
            • \Users\Admin\AppData\Roaming\Imci\otivelq.exe
              Download Submit
            • memory/840-1-0x0000000000000000-mapping.dmp
              Download
            • memory/1464-4-0x0000000003910000-0x0000000003A10000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/1464-6-0x0000000003910000-0x0000000003B10000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/1464-8-0x0000000003910000-0x0000000003A10000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/1464-9-0x0000000003910000-0x0000000003B10000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/1464-10-0x0000000003A10000-0x0000000003B10000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/1464-14-0x0000000003650000-0x0000000003652000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-15-0x0000000003660000-0x0000000003662000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-16-0x0000000003670000-0x0000000003672000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-17-0x0000000003650000-0x0000000003652000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-18-0x0000000003B40000-0x0000000003B42000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-19-0x0000000003FE0000-0x0000000003FE2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-20-0x0000000003F20000-0x0000000003F22000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-21-0x0000000003F20000-0x0000000003F22000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-22-0x0000000003B40000-0x0000000003B42000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-23-0x0000000004210000-0x0000000004212000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-24-0x0000000004220000-0x0000000004222000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-25-0x0000000003F20000-0x0000000003F22000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-26-0x0000000004210000-0x0000000004212000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-27-0x0000000004220000-0x0000000004222000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-28-0x0000000004360000-0x0000000004362000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-29-0x0000000004180000-0x0000000004182000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-30-0x0000000004370000-0x0000000004372000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-31-0x0000000004220000-0x0000000004222000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-32-0x0000000003F70000-0x0000000003F72000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-33-0x0000000004210000-0x0000000004212000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-34-0x0000000004340000-0x0000000004342000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-35-0x0000000003F70000-0x0000000003F72000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-36-0x0000000004220000-0x0000000004222000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-37-0x0000000003F90000-0x0000000003F92000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-38-0x0000000003B40000-0x0000000003B42000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-39-0x0000000003FC0000-0x0000000003FC2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-40-0x0000000003650000-0x0000000003652000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-41-0x0000000004080000-0x0000000004082000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-42-0x0000000003F10000-0x0000000003F12000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-43-0x00000000040D0000-0x00000000040D2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-44-0x0000000003FB0000-0x0000000003FB2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-45-0x0000000003F70000-0x0000000003F72000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-46-0x00000000040E0000-0x00000000040E2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-47-0x00000000040F0000-0x00000000040F2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-48-0x0000000004100000-0x0000000004102000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-49-0x0000000004110000-0x0000000004112000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1464-50-0x0000000003910000-0x0000000003A10000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/1464-52-0x0000000002400000-0x0000000002410000-memory.dmp
              Filesize

              64KB

              Download
            • memory/1464-58-0x00000000023A0000-0x00000000023B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/1864-64-0x0000000000050000-0x0000000000077000-memory.dmp
              Filesize

              156KB

              Download
            • memory/1864-66-0x000000000005C289-mapping.dmp
              Download