Analysis
-
max time kernel
151s -
max time network
57s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:41
Static task
static1
Behavioral task
behavioral1
Sample
iceix_1.2.7.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
iceix_1.2.7.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
iceix_1.2.7.0.vir.exe
-
Size
204KB
-
MD5
b92b8f41fdbf4ab686b0d596b102f67c
-
SHA1
ecdfcdd954d17b4033ad01510e1206d021db9df3
-
SHA256
9dfd9793dd172c0c6c730d2e2b3c9b5c9daa0c7e317ff4148b19c3aa95558471
-
SHA512
dc02c9c9e4e505af9920f268f9d3d95164b0e5dd6e1e957859cef745138afc561b540921c5e1034547a7ac048d1e4b4ae9b033e6bae25a4395c52e97fbdb1153
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
iceix_1.2.7.0.vir.exedescription pid process Token: SeSecurityPrivilege 1320 iceix_1.2.7.0.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
iceix_1.2.7.0.vir.exepid process 1320 iceix_1.2.7.0.vir.exe 1320 iceix_1.2.7.0.vir.exe -
Executes dropped EXE 2 IoCs
Processes:
yzweesi.exeyzweesi.exepid process 556 yzweesi.exe 1620 yzweesi.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
iceix_1.2.7.0.vir.exeyzweesi.exepid process 892 iceix_1.2.7.0.vir.exe 556 yzweesi.exe -
Suspicious use of WriteProcessMemory 97 IoCs
Processes:
iceix_1.2.7.0.vir.exeiceix_1.2.7.0.vir.execmd.execmd.exenet.exenet.exeyzweesi.exeyzweesi.exedescription pid process target process PID 892 wrote to memory of 1320 892 iceix_1.2.7.0.vir.exe iceix_1.2.7.0.vir.exe PID 892 wrote to memory of 1320 892 iceix_1.2.7.0.vir.exe iceix_1.2.7.0.vir.exe PID 892 wrote to memory of 1320 892 iceix_1.2.7.0.vir.exe iceix_1.2.7.0.vir.exe PID 892 wrote to memory of 1320 892 iceix_1.2.7.0.vir.exe iceix_1.2.7.0.vir.exe PID 892 wrote to memory of 1320 892 iceix_1.2.7.0.vir.exe iceix_1.2.7.0.vir.exe PID 892 wrote to memory of 1320 892 iceix_1.2.7.0.vir.exe iceix_1.2.7.0.vir.exe PID 892 wrote to memory of 1320 892 iceix_1.2.7.0.vir.exe iceix_1.2.7.0.vir.exe PID 892 wrote to memory of 1320 892 iceix_1.2.7.0.vir.exe iceix_1.2.7.0.vir.exe PID 892 wrote to memory of 1320 892 iceix_1.2.7.0.vir.exe iceix_1.2.7.0.vir.exe PID 1320 wrote to memory of 1396 1320 iceix_1.2.7.0.vir.exe cmd.exe PID 1320 wrote to memory of 1396 1320 iceix_1.2.7.0.vir.exe cmd.exe PID 1320 wrote to memory of 1396 1320 iceix_1.2.7.0.vir.exe cmd.exe PID 1320 wrote to memory of 1396 1320 iceix_1.2.7.0.vir.exe cmd.exe PID 1320 wrote to memory of 1412 1320 iceix_1.2.7.0.vir.exe cmd.exe PID 1320 wrote to memory of 1412 1320 iceix_1.2.7.0.vir.exe cmd.exe PID 1320 wrote to memory of 1412 1320 iceix_1.2.7.0.vir.exe cmd.exe PID 1320 wrote to memory of 1412 1320 iceix_1.2.7.0.vir.exe cmd.exe PID 1396 wrote to memory of 772 1396 cmd.exe netsh.exe PID 1396 wrote to memory of 772 1396 cmd.exe netsh.exe PID 1396 wrote to memory of 772 1396 cmd.exe netsh.exe PID 1396 wrote to memory of 772 1396 cmd.exe netsh.exe PID 1320 wrote to memory of 556 1320 iceix_1.2.7.0.vir.exe yzweesi.exe PID 1320 wrote to memory of 556 1320 iceix_1.2.7.0.vir.exe yzweesi.exe PID 1320 wrote to memory of 556 1320 iceix_1.2.7.0.vir.exe yzweesi.exe PID 1320 wrote to memory of 556 1320 iceix_1.2.7.0.vir.exe yzweesi.exe PID 1412 wrote to memory of 1092 1412 cmd.exe sc.exe PID 1412 wrote to memory of 1092 1412 cmd.exe sc.exe PID 1412 wrote to memory of 1092 1412 cmd.exe sc.exe PID 1412 wrote to memory of 1092 1412 cmd.exe sc.exe PID 1412 wrote to memory of 1544 1412 cmd.exe net.exe PID 1412 wrote to memory of 1544 1412 cmd.exe net.exe PID 1412 wrote to memory of 1544 1412 cmd.exe net.exe PID 1412 wrote to memory of 1544 1412 cmd.exe net.exe PID 1544 wrote to memory of 1524 1544 net.exe net1.exe PID 1544 wrote to memory of 1524 1544 net.exe net1.exe PID 1544 wrote to memory of 1524 1544 net.exe net1.exe PID 1544 wrote to memory of 1524 1544 net.exe net1.exe PID 1412 wrote to memory of 1688 1412 cmd.exe sc.exe PID 1412 wrote to memory of 1688 1412 cmd.exe sc.exe PID 1412 wrote to memory of 1688 1412 cmd.exe sc.exe PID 1412 wrote to memory of 1688 1412 cmd.exe sc.exe PID 1412 wrote to memory of 1360 1412 cmd.exe net.exe PID 1412 wrote to memory of 1360 1412 cmd.exe net.exe PID 1412 wrote to memory of 1360 1412 cmd.exe net.exe PID 1412 wrote to memory of 1360 1412 cmd.exe net.exe PID 1360 wrote to memory of 1224 1360 net.exe net1.exe PID 1360 wrote to memory of 1224 1360 net.exe net1.exe PID 1360 wrote to memory of 1224 1360 net.exe net1.exe PID 1360 wrote to memory of 1224 1360 net.exe net1.exe PID 556 wrote to memory of 1620 556 yzweesi.exe yzweesi.exe PID 556 wrote to memory of 1620 556 yzweesi.exe yzweesi.exe PID 556 wrote to memory of 1620 556 yzweesi.exe yzweesi.exe PID 556 wrote to memory of 1620 556 yzweesi.exe yzweesi.exe PID 556 wrote to memory of 1620 556 yzweesi.exe yzweesi.exe PID 556 wrote to memory of 1620 556 yzweesi.exe yzweesi.exe PID 556 wrote to memory of 1620 556 yzweesi.exe yzweesi.exe PID 556 wrote to memory of 1620 556 yzweesi.exe yzweesi.exe PID 556 wrote to memory of 1620 556 yzweesi.exe yzweesi.exe PID 1320 wrote to memory of 1556 1320 iceix_1.2.7.0.vir.exe cmd.exe PID 1320 wrote to memory of 1556 1320 iceix_1.2.7.0.vir.exe cmd.exe PID 1320 wrote to memory of 1556 1320 iceix_1.2.7.0.vir.exe cmd.exe PID 1320 wrote to memory of 1556 1320 iceix_1.2.7.0.vir.exe cmd.exe PID 1620 wrote to memory of 1116 1620 yzweesi.exe taskhost.exe PID 1620 wrote to memory of 1116 1620 yzweesi.exe taskhost.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
yzweesi.exepid process 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe 1620 yzweesi.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1556 cmd.exe -
Runs net.exe
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
yzweesi.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run yzweesi.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2CFEF4BB-9750-0034-3700-28292279974C} = "C:\\Users\\Admin\\AppData\\Roaming\\Osuzlyw\\yzweesi.exe" yzweesi.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
iceix_1.2.7.0.vir.exeyzweesi.exedescription pid process target process PID 892 set thread context of 1320 892 iceix_1.2.7.0.vir.exe iceix_1.2.7.0.vir.exe PID 556 set thread context of 1620 556 yzweesi.exe yzweesi.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe -
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" cmd.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\iceix_1.2.7.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\iceix_1.2.7.0.vir.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\iceix_1.2.7.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\iceix_1.2.7.0.vir.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa5885dcd.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe"5⤵
- Modifies service
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9b5ce639.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start= disabled5⤵
-
C:\Windows\SysWOW64\net.exenet stop wuauserv5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv6⤵
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= disabled5⤵
-
C:\Windows\SysWOW64\net.exenet stop wscsvc5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc6⤵
-
C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe"C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe"C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa983c6b0.bat"4⤵
- Deletes itself
- Modifies Internet Explorer settings
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1896742867-414687477-47616810-6326320876532687801503374213-231889184-1909655224"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9b5ce639.bat
-
C:\Users\Admin\AppData\Local\Temp\tmpa5885dcd.bat
-
C:\Users\Admin\AppData\Local\Temp\tmpa983c6b0.bat
-
C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe
-
C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe
-
C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe
-
\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe
-
\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe
-
memory/556-12-0x0000000000000000-mapping.dmp
-
memory/772-9-0x0000000000000000-mapping.dmp
-
memory/1092-13-0x0000000000000000-mapping.dmp
-
memory/1224-21-0x0000000000000000-mapping.dmp
-
memory/1320-4-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1320-2-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1320-3-0x0000000000412214-mapping.dmp
-
memory/1360-20-0x0000000000000000-mapping.dmp
-
memory/1396-5-0x0000000000000000-mapping.dmp
-
memory/1412-6-0x0000000000000000-mapping.dmp
-
memory/1524-18-0x0000000000000000-mapping.dmp
-
memory/1544-17-0x0000000000000000-mapping.dmp
-
memory/1556-27-0x0000000000000000-mapping.dmp
-
memory/1556-28-0x0000000000000000-mapping.dmp
-
memory/1620-24-0x0000000000412214-mapping.dmp
-
memory/1688-19-0x0000000000000000-mapping.dmp