Analysis
-
max time kernel
151s -
max time network
44s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:50
General
-
Target
iceix_1.2.6.0.vir.exe
-
Size
502KB
-
MD5
fa0ac95c9e929f9a1933877c05be4a60
-
SHA1
3d7f5484ec822ea8f9dd021f4e4f18fa08dfc562
-
SHA256
ff6353b97df24c70f01f79c12c29d597c8fdf84675fa4ccae6994c5e8e9798cf
-
SHA512
8c75e13f65ecd02e255ff9acd0ec11166f0a9ba5a067160555db847dfcc1bc4d9f3a3b0cd3c50bc7eab074acd3d50164e6f61bb9537f17803c6f2e6c5b60d44d
Score
8/10
Malware Config
Signatures
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Modifies service 2 TTPs 5 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Loads dropped DLL 8 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 113 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks whether UAC is enabled 1 IoCs
-
Executes dropped EXE 4 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\iceix_1.2.6.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\iceix_1.2.6.0.vir.exe"2⤵
- Adds Run key to start application
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scrC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scr3⤵
- Suspicious use of SetThreadContext
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scrC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scr4⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe418166e.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Qubao\ybhoac.exe"6⤵
- Modifies service
-
C:\Users\Admin\AppData\Roaming\Qubao\ybhoac.exe"C:\Users\Admin\AppData\Roaming\Qubao\ybhoac.exe"5⤵
- Suspicious use of SetThreadContext
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Qubao\ybhoac.exe"C:\Users\Admin\AppData\Roaming\Qubao\ybhoac.exe"6⤵
- Adds Run key to start application
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpdeaa0b86.bat"5⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\CSIDL_
-
C:\Users\Admin\AppData\Local\CSIDL_X
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.sc_
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scr
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scr
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scr
-
C:\Users\Admin\AppData\Local\Temp\tmpdeaa0b86.bat
-
C:\Users\Admin\AppData\Local\Temp\tmpe418166e.bat
-
C:\Users\Admin\AppData\Roaming\Aquxtof\siumra.qux
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif
-
C:\Users\Admin\AppData\Roaming\Qubao\ybhoac.exe
-
C:\Users\Admin\AppData\Roaming\Qubao\ybhoac.exe
-
C:\Users\Admin\AppData\Roaming\Qubao\ybhoac.exe
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scr
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scr
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scr
-
\Users\Admin\AppData\Roaming\Qubao\ybhoac.exe
-
\Users\Admin\AppData\Roaming\Qubao\ybhoac.exe
-
\Users\Admin\AppData\Roaming\Qubao\ybhoac.exe
-
\Users\Admin\AppData\Roaming\Qubao\ybhoac.exe
-
\Users\Admin\AppData\Roaming\Qubao\ybhoac.exe
-
memory/112-19-0x0000000000000000-mapping.dmp
-
memory/476-16-0x0000000000000000-mapping.dmp
-
memory/508-35-0x0000000000000000-mapping.dmp
-
memory/868-2-0x0000000000000000-mapping.dmp
-
memory/1336-30-0x00000000004154B2-mapping.dmp
-
memory/1396-11-0x0000000000400000-0x00000000009DC000-memory.dmpFilesize
5.9MB
-
memory/1396-10-0x0000000000400000-0x00000000009DC000-memory.dmpFilesize
5.9MB
-
memory/1396-12-0x0000000000400000-0x00000000009DC000-memory.dmpFilesize
5.9MB
-
memory/1396-7-0x000000000040D560-mapping.dmp
-
memory/1396-34-0x000000000040D560-mapping.dmp
-
memory/1396-6-0x0000000000400000-0x00000000009DC000-memory.dmpFilesize
5.9MB
-
memory/1492-9-0x0000000000400000-0x000000000A040000-memory.dmpFilesize
156.2MB
-
memory/1492-13-0x00000000004154B2-mapping.dmp
-
memory/1492-15-0x0000000000400000-0x000000000A040000-memory.dmpFilesize
156.2MB
-
memory/1540-24-0x0000000000000000-mapping.dmp
-
memory/1564-44-0x0000000003BC0000-0x0000000003CC0000-memory.dmpFilesize
1024KB
-
memory/1564-64-0x00000000043B0000-0x00000000043B2000-memory.dmpFilesize
8KB
-
memory/1564-42-0x0000000003AC0000-0x0000000003BC0000-memory.dmpFilesize
1024KB
-
memory/1564-43-0x0000000003AC0000-0x0000000003CC0000-memory.dmpFilesize
2.0MB
-
memory/1564-38-0x0000000003AC0000-0x0000000003BC0000-memory.dmpFilesize
1024KB
-
memory/1564-48-0x0000000002670000-0x0000000002672000-memory.dmpFilesize
8KB
-
memory/1564-49-0x0000000002690000-0x0000000002692000-memory.dmpFilesize
8KB
-
memory/1564-50-0x0000000002680000-0x0000000002682000-memory.dmpFilesize
8KB
-
memory/1564-51-0x00000000041E0000-0x00000000041E2000-memory.dmpFilesize
8KB
-
memory/1564-52-0x00000000040D0000-0x00000000040D2000-memory.dmpFilesize
8KB
-
memory/1564-53-0x00000000040E0000-0x00000000040E2000-memory.dmpFilesize
8KB
-
memory/1564-54-0x00000000026E0000-0x00000000026E2000-memory.dmpFilesize
8KB
-
memory/1564-55-0x0000000002670000-0x0000000002672000-memory.dmpFilesize
8KB
-
memory/1564-56-0x0000000004340000-0x0000000004342000-memory.dmpFilesize
8KB
-
memory/1564-57-0x00000000040E0000-0x00000000040E2000-memory.dmpFilesize
8KB
-
memory/1564-58-0x0000000004390000-0x0000000004392000-memory.dmpFilesize
8KB
-
memory/1564-59-0x0000000003E00000-0x0000000003E02000-memory.dmpFilesize
8KB
-
memory/1564-60-0x00000000026E0000-0x00000000026E2000-memory.dmpFilesize
8KB
-
memory/1564-61-0x0000000002670000-0x0000000002672000-memory.dmpFilesize
8KB
-
memory/1564-62-0x0000000004340000-0x0000000004342000-memory.dmpFilesize
8KB
-
memory/1564-63-0x00000000040E0000-0x00000000040E2000-memory.dmpFilesize
8KB
-
memory/1564-40-0x0000000003AC0000-0x0000000003CC0000-memory.dmpFilesize
2.0MB
-
memory/1564-65-0x0000000004390000-0x0000000004392000-memory.dmpFilesize
8KB
-
memory/1564-66-0x00000000040C0000-0x00000000040C2000-memory.dmpFilesize
8KB
-
memory/1564-67-0x00000000043C0000-0x00000000043C2000-memory.dmpFilesize
8KB
-
memory/1564-68-0x0000000004630000-0x0000000004632000-memory.dmpFilesize
8KB
-
memory/1564-69-0x0000000004360000-0x0000000004362000-memory.dmpFilesize
8KB
-
memory/1564-70-0x0000000002670000-0x0000000002672000-memory.dmpFilesize
8KB
-
memory/1564-71-0x0000000002700000-0x0000000002702000-memory.dmpFilesize
8KB
-
memory/1564-72-0x00000000040C0000-0x00000000040C2000-memory.dmpFilesize
8KB
-
memory/1564-73-0x0000000002720000-0x0000000002722000-memory.dmpFilesize
8KB
-
memory/1564-74-0x00000000040C0000-0x00000000040C2000-memory.dmpFilesize
8KB
-
memory/1564-75-0x0000000003CD0000-0x0000000003CD2000-memory.dmpFilesize
8KB
-
memory/1564-76-0x0000000002720000-0x0000000002722000-memory.dmpFilesize
8KB
-
memory/1564-77-0x0000000003E20000-0x0000000003E22000-memory.dmpFilesize
8KB
-
memory/1564-78-0x0000000003E30000-0x0000000003E32000-memory.dmpFilesize
8KB
-
memory/1564-79-0x00000000040A0000-0x00000000040A2000-memory.dmpFilesize
8KB
-
memory/1564-80-0x0000000002670000-0x0000000002672000-memory.dmpFilesize
8KB
-
memory/1564-81-0x0000000004350000-0x0000000004352000-memory.dmpFilesize
8KB
-
memory/1564-82-0x0000000002700000-0x0000000002702000-memory.dmpFilesize
8KB
-
memory/1564-83-0x0000000003AC0000-0x0000000003CC0000-memory.dmpFilesize
2.0MB
-
memory/1564-84-0x0000000003BC0000-0x0000000003CC0000-memory.dmpFilesize
1024KB
-
memory/1564-85-0x0000000002270000-0x0000000002280000-memory.dmpFilesize
64KB
-
memory/1564-91-0x0000000000590000-0x00000000005A0000-memory.dmpFilesize
64KB