9dfd9793dd172c0c6c730d2e2b3c9b5c9daa0c7e317ff4148b19c3aa95558471

General

Target

iceix_1.2.7.0.vir.exe
Size

204KB
MD5

b92b8f41fdbf4ab686b0d596b102f67c
SHA1

ecdfcdd954d17b4033ad01510e1206d021db9df3
SHA256

9dfd9793dd172c0c6c730d2e2b3c9b5c9daa0c7e317ff4148b19c3aa95558471
SHA512

dc02c9c9e4e505af9920f268f9d3d95164b0e5dd6e1e957859cef745138afc561b540921c5e1034547a7ac048d1e4b4ae9b033e6bae25a4395c52e97fbdb1153

Score

8^/10

persistence evasion

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

iceix_1.2.7.0.vir.exe

description pid process

Token: SeSecurityPrivilege 1320 iceix_1.2.7.0.vir.exe
Loads dropped DLL 2 IoCs

Processes:

iceix_1.2.7.0.vir.exe

pid process

1320 iceix_1.2.7.0.vir.exe
1320 iceix_1.2.7.0.vir.exe
Executes dropped EXE 2 IoCs

Processes:

yzweesi.exeyzweesi.exe

pid process

556 yzweesi.exe
1620 yzweesi.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

iceix_1.2.7.0.vir.exeyzweesi.exe

pid process

892 iceix_1.2.7.0.vir.exe
556 yzweesi.exe

description	pid	process
Token: SeSecurityPrivilege	1320	iceix_1.2.7.0.vir.exe

pid	process
1320	iceix_1.2.7.0.vir.exe
1320	iceix_1.2.7.0.vir.exe

pid	process
556	yzweesi.exe
1620	yzweesi.exe

pid	process
892	iceix_1.2.7.0.vir.exe
556	yzweesi.exe

Suspicious use of WriteProcessMemory 97 IoCs

Processes:

iceix_1.2.7.0.vir.exeiceix_1.2.7.0.vir.execmd.execmd.exenet.exenet.exeyzweesi.exeyzweesi.exe

description	pid	process	target process
PID 892 wrote to memory of 1320	892	iceix_1.2.7.0.vir.exe	iceix_1.2.7.0.vir.exe
PID 892 wrote to memory of 1320	892	iceix_1.2.7.0.vir.exe	iceix_1.2.7.0.vir.exe
PID 892 wrote to memory of 1320	892	iceix_1.2.7.0.vir.exe	iceix_1.2.7.0.vir.exe
PID 892 wrote to memory of 1320	892	iceix_1.2.7.0.vir.exe	iceix_1.2.7.0.vir.exe
PID 892 wrote to memory of 1320	892	iceix_1.2.7.0.vir.exe	iceix_1.2.7.0.vir.exe
PID 892 wrote to memory of 1320	892	iceix_1.2.7.0.vir.exe	iceix_1.2.7.0.vir.exe
PID 892 wrote to memory of 1320	892	iceix_1.2.7.0.vir.exe	iceix_1.2.7.0.vir.exe
PID 892 wrote to memory of 1320	892	iceix_1.2.7.0.vir.exe	iceix_1.2.7.0.vir.exe
PID 892 wrote to memory of 1320	892	iceix_1.2.7.0.vir.exe	iceix_1.2.7.0.vir.exe
PID 1320 wrote to memory of 1396	1320	iceix_1.2.7.0.vir.exe	cmd.exe
PID 1320 wrote to memory of 1396	1320	iceix_1.2.7.0.vir.exe	cmd.exe
PID 1320 wrote to memory of 1396	1320	iceix_1.2.7.0.vir.exe	cmd.exe
PID 1320 wrote to memory of 1396	1320	iceix_1.2.7.0.vir.exe	cmd.exe
PID 1320 wrote to memory of 1412	1320	iceix_1.2.7.0.vir.exe	cmd.exe
PID 1320 wrote to memory of 1412	1320	iceix_1.2.7.0.vir.exe	cmd.exe
PID 1320 wrote to memory of 1412	1320	iceix_1.2.7.0.vir.exe	cmd.exe
PID 1320 wrote to memory of 1412	1320	iceix_1.2.7.0.vir.exe	cmd.exe
PID 1396 wrote to memory of 772	1396	cmd.exe	netsh.exe
PID 1396 wrote to memory of 772	1396	cmd.exe	netsh.exe
PID 1396 wrote to memory of 772	1396	cmd.exe	netsh.exe
PID 1396 wrote to memory of 772	1396	cmd.exe	netsh.exe
PID 1320 wrote to memory of 556	1320	iceix_1.2.7.0.vir.exe	yzweesi.exe
PID 1320 wrote to memory of 556	1320	iceix_1.2.7.0.vir.exe	yzweesi.exe
PID 1320 wrote to memory of 556	1320	iceix_1.2.7.0.vir.exe	yzweesi.exe
PID 1320 wrote to memory of 556	1320	iceix_1.2.7.0.vir.exe	yzweesi.exe
PID 1412 wrote to memory of 1092	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 1092	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 1092	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 1092	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 1544	1412	cmd.exe	net.exe
PID 1412 wrote to memory of 1544	1412	cmd.exe	net.exe
PID 1412 wrote to memory of 1544	1412	cmd.exe	net.exe
PID 1412 wrote to memory of 1544	1412	cmd.exe	net.exe
PID 1544 wrote to memory of 1524	1544	net.exe	net1.exe
PID 1544 wrote to memory of 1524	1544	net.exe	net1.exe
PID 1544 wrote to memory of 1524	1544	net.exe	net1.exe
PID 1544 wrote to memory of 1524	1544	net.exe	net1.exe
PID 1412 wrote to memory of 1688	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 1688	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 1688	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 1688	1412	cmd.exe	sc.exe
PID 1412 wrote to memory of 1360	1412	cmd.exe	net.exe
PID 1412 wrote to memory of 1360	1412	cmd.exe	net.exe
PID 1412 wrote to memory of 1360	1412	cmd.exe	net.exe
PID 1412 wrote to memory of 1360	1412	cmd.exe	net.exe
PID 1360 wrote to memory of 1224	1360	net.exe	net1.exe
PID 1360 wrote to memory of 1224	1360	net.exe	net1.exe
PID 1360 wrote to memory of 1224	1360	net.exe	net1.exe
PID 1360 wrote to memory of 1224	1360	net.exe	net1.exe
PID 556 wrote to memory of 1620	556	yzweesi.exe	yzweesi.exe
PID 556 wrote to memory of 1620	556	yzweesi.exe	yzweesi.exe
PID 556 wrote to memory of 1620	556	yzweesi.exe	yzweesi.exe
PID 556 wrote to memory of 1620	556	yzweesi.exe	yzweesi.exe
PID 556 wrote to memory of 1620	556	yzweesi.exe	yzweesi.exe
PID 556 wrote to memory of 1620	556	yzweesi.exe	yzweesi.exe
PID 556 wrote to memory of 1620	556	yzweesi.exe	yzweesi.exe
PID 556 wrote to memory of 1620	556	yzweesi.exe	yzweesi.exe
PID 556 wrote to memory of 1620	556	yzweesi.exe	yzweesi.exe
PID 1320 wrote to memory of 1556	1320	iceix_1.2.7.0.vir.exe	cmd.exe
PID 1320 wrote to memory of 1556	1320	iceix_1.2.7.0.vir.exe	cmd.exe
PID 1320 wrote to memory of 1556	1320	iceix_1.2.7.0.vir.exe	cmd.exe
PID 1320 wrote to memory of 1556	1320	iceix_1.2.7.0.vir.exe	cmd.exe
PID 1620 wrote to memory of 1116	1620	yzweesi.exe	taskhost.exe
PID 1620 wrote to memory of 1116	1620	yzweesi.exe	taskhost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

yzweesi.exe

pid	process
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe
1620	yzweesi.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1556 cmd.exe
Runs net.exe

pid	process
1556	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yzweesi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run	yzweesi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2CFEF4BB-9750-0034-3700-28292279974C} = "C:\\Users\\Admin\\AppData\\Roaming\\Osuzlyw\\yzweesi.exe"	yzweesi.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Suspicious use of SetThreadContext 2 IoCs

Processes:

iceix_1.2.7.0.vir.exeyzweesi.exe

description	pid	process	target process
PID 892 set thread context of 1320	892	iceix_1.2.7.0.vir.exe	iceix_1.2.7.0.vir.exe
PID 556 set thread context of 1620	556	yzweesi.exe	yzweesi.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1248

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\iceix_1.2.7.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\iceix_1.2.7.0.vir.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:892

C:\Users\Admin\AppData\Local\Temp\iceix_1.2.7.0.vir.exe
"C:\Users\Admin\AppData\Local\Temp\iceix_1.2.7.0.vir.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa5885dcd.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe"
5⤵
- Modifies service
PID:772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9b5ce639.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\sc.exe
sc config wuauserv start= disabled
5⤵
PID:1092

C:\Windows\SysWOW64\net.exe
net stop wuauserv
5⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv
6⤵
PID:1524

C:\Windows\SysWOW64\sc.exe
sc config wscsvc start= disabled
5⤵
PID:1688

C:\Windows\SysWOW64\net.exe
net stop wscsvc
5⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc
6⤵
PID:1224

C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe
"C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:556

C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe
"C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa983c6b0.bat"
4⤵
- Deletes itself
- Modifies Internet Explorer settings
PID:1556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1896742867-414687477-47616810-6326320876532687801503374213-231889184-1909655224"
1⤵
PID:1608

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9b5ce639.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpa5885dcd.bat

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpa983c6b0.bat

Download Submit
C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe

Download Submit
\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe

Download Submit
\Users\Admin\AppData\Roaming\Osuzlyw\yzweesi.exe

Download Submit
memory/556-12-0x0000000000000000-mapping.dmp

Download
memory/772-9-0x0000000000000000-mapping.dmp

Download
memory/1092-13-0x0000000000000000-mapping.dmp

Download
memory/1224-21-0x0000000000000000-mapping.dmp

Download
memory/1320-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1320-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1320-3-0x0000000000412214-mapping.dmp

Download
memory/1360-20-0x0000000000000000-mapping.dmp

Download
memory/1396-5-0x0000000000000000-mapping.dmp

Download
memory/1412-6-0x0000000000000000-mapping.dmp

Download
memory/1524-18-0x0000000000000000-mapping.dmp

Download
memory/1544-17-0x0000000000000000-mapping.dmp

Download
memory/1556-27-0x0000000000000000-mapping.dmp

Download
memory/1556-28-0x0000000000000000-mapping.dmp

Download
memory/1620-24-0x0000000000412214-mapping.dmp

Download
memory/1688-19-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads