Overview

overview

8

Static

static

iceix_1.2.2.0.vir.exe

windows7_x64

8

iceix_1.2.2.0.vir.exe

windows10_x64

3

Analysis

  • max time kernel
    152s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    19-07-2020 19:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    iceix_1.2.2.0.vir.exe

  • Size

    271KB

  • MD5

    b818f1dce8587940c47217dc0fd3315a

  • SHA1

    72dc63def88ee7f0e43531df0040e8d18daedce6

  • SHA256

    163fbd87c9a947ce59016e42a9e768ef2e801d0a2785ec48fb9b301d884cf759

  • SHA512

    a3193d3fcd4f439d435c821043fb67a8e156f96e971d20e42a18ace4634ab1c48f2caf24b33951b18344d4424e5737260a9e813741b80467d9a4a86c54cc009a

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • NTFS ADS 1 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs
  • Loads dropped DLL 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Deletes itself 1 IoCs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1116
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1248
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1304
          • C:\Users\Admin\AppData\Local\Temp\iceix_1.2.2.0.vir.exe
            "C:\Users\Admin\AppData\Local\Temp\iceix_1.2.2.0.vir.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetThreadContext
            • Modifies Internet Explorer settings
            PID:1296
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7ae6758d.bat"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:600
              • C:\Windows\SysWOW64\netsh.exe
                netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Owqi\egryca.exe"
                4⤵
                • Modifies service
                PID:1568
            • C:\Users\Admin\AppData\Roaming\Owqi\egryca.exe
              "C:\Users\Admin\AppData\Roaming\Owqi\egryca.exe"
              3⤵
              • Adds Run key to start application
              • Suspicious use of WriteProcessMemory
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1392
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp23de9f72.bat"
              3⤵
              • Deletes itself
              • Suspicious use of AdjustPrivilegeToken
              PID:1780
        • C:\Program Files\Windows Mail\WinMail.exe
          "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
          1⤵
          • NTFS ADS
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of AdjustPrivilegeToken
          PID:1068
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1528
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:1948
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
                PID:1396

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Modify Existing Service

              2
              T1031

              Privilege Escalation

              Defense Evasion

              Modify Registry

              3
              T1112

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\tmp23de9f72.bat
                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\tmp7ae6758d.bat
                Download Submit
              • C:\Users\Admin\AppData\Roaming\Owqi\egryca.exe
                Download Submit
              • C:\Users\Admin\AppData\Roaming\Owqi\egryca.exe
                Download Submit
              • C:\Users\Admin\AppData\Roaming\Zanuky\qyhoegy.kah
                Download Submit
              • \Users\Admin\AppData\Roaming\Owqi\egryca.exe
                Download Submit
              • \Users\Admin\AppData\Roaming\Owqi\egryca.exe
                Download Submit
              • memory/600-0-0x0000000000000000-mapping.dmp
                Download
              • memory/1068-24-0x0000000003D50000-0x0000000003D52000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1068-22-0x0000000003AF0000-0x0000000003AF2000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1068-12-0x00000000038C0000-0x00000000039C0000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/1068-13-0x00000000038C0000-0x0000000003AC0000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/1068-14-0x00000000039C0000-0x0000000003AC0000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/1068-18-0x0000000003AE0000-0x0000000003AE2000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1068-19-0x0000000003AF0000-0x0000000003AF2000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1068-20-0x0000000003AD0000-0x0000000003AD2000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1068-21-0x0000000003D30000-0x0000000003D32000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1068-10-0x00000000038C0000-0x0000000003AC0000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/1068-8-0x00000000038C0000-0x00000000039C0000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/1068-29-0x0000000004280000-0x0000000004282000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1068-28-0x0000000004280000-0x0000000004282000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1068-26-0x0000000003D70000-0x0000000003D72000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1392-3-0x0000000000000000-mapping.dmp
                Download
              • memory/1568-6-0x0000000000000000-mapping.dmp
                Download
              • memory/1780-25-0x00000000000638B4-mapping.dmp
                Download
              • memory/1780-23-0x0000000000050000-0x0000000000077000-memory.dmp
                Filesize

                156KB

                Download