Analysis
-
max time kernel
62s -
max time network
117s -
platform
windows10_x64 -
resource
win10 -
submitted
19-07-2020 19:50
Static task
static1
Behavioral task
behavioral1
Sample
iceix_1.2.6.0.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
iceix_1.2.6.0.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
iceix_1.2.6.0.vir.exe
-
Size
502KB
-
MD5
fa0ac95c9e929f9a1933877c05be4a60
-
SHA1
3d7f5484ec822ea8f9dd021f4e4f18fa08dfc562
-
SHA256
ff6353b97df24c70f01f79c12c29d597c8fdf84675fa4ccae6994c5e8e9798cf
-
SHA512
8c75e13f65ecd02e255ff9acd0ec11166f0a9ba5a067160555db847dfcc1bc4d9f3a3b0cd3c50bc7eab074acd3d50164e6f61bb9537f17803c6f2e6c5b60d44d
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
iceix_1.2.6.0.vir.exe1.scrdescription pid process target process PID 3940 wrote to memory of 3960 3940 iceix_1.2.6.0.vir.exe 1.scr PID 3940 wrote to memory of 3960 3940 iceix_1.2.6.0.vir.exe 1.scr PID 3940 wrote to memory of 3960 3940 iceix_1.2.6.0.vir.exe 1.scr PID 3960 wrote to memory of 3544 3960 1.scr iexplore.exe PID 3960 wrote to memory of 3544 3960 1.scr iexplore.exe PID 3960 wrote to memory of 3544 3960 1.scr iexplore.exe PID 3960 wrote to memory of 3552 3960 1.scr iexplore.exe PID 3960 wrote to memory of 3552 3960 1.scr iexplore.exe PID 3960 wrote to memory of 3552 3960 1.scr iexplore.exe PID 3960 wrote to memory of 3552 3960 1.scr iexplore.exe PID 3960 wrote to memory of 3552 3960 1.scr iexplore.exe PID 3960 wrote to memory of 3552 3960 1.scr iexplore.exe PID 3960 wrote to memory of 3552 3960 1.scr iexplore.exe PID 3960 wrote to memory of 3552 3960 1.scr iexplore.exe PID 3960 wrote to memory of 3552 3960 1.scr iexplore.exe PID 3960 wrote to memory of 3520 3960 1.scr 1.scr PID 3960 wrote to memory of 3520 3960 1.scr 1.scr PID 3960 wrote to memory of 3520 3960 1.scr 1.scr PID 3960 wrote to memory of 3520 3960 1.scr 1.scr PID 3960 wrote to memory of 3520 3960 1.scr 1.scr PID 3960 wrote to memory of 3520 3960 1.scr 1.scr PID 3960 wrote to memory of 3520 3960 1.scr 1.scr PID 3960 wrote to memory of 3520 3960 1.scr 1.scr PID 3960 wrote to memory of 3520 3960 1.scr 1.scr -
Executes dropped EXE 2 IoCs
Processes:
1.scr1.scrpid process 3960 1.scr 3520 1.scr -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
1.scriexplore.exepid process 3960 1.scr 3960 1.scr 3552 iexplore.exe 3552 iexplore.exe 3552 iexplore.exe 3552 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1.scrpid process 3960 1.scr 3960 1.scr -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1.scrdescription pid process target process PID 3960 set thread context of 3552 3960 1.scr iexplore.exe PID 3960 set thread context of 3520 3960 1.scr 1.scr -
Processes:
resource yara_rule behavioral2/memory/3552-4-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/3552-7-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral2/memory/3552-8-0x0000000000400000-0x000000000043C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
iceix_1.2.6.0.vir.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" iceix_1.2.6.0.vir.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce iceix_1.2.6.0.vir.exe -
Checks whether UAC is enabled 1 IoCs
Processes:
iexplore.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\iceix_1.2.6.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\iceix_1.2.6.0.vir.exe"1⤵
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scrC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scr2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scrC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scr3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.sc_
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scr
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scr
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.scr
-
memory/3520-6-0x0000000000400000-0x000000000A040000-memory.dmpFilesize
156.2MB
-
memory/3520-9-0x00000000004154B2-mapping.dmp
-
memory/3520-11-0x0000000000400000-0x000000000A040000-memory.dmpFilesize
156.2MB
-
memory/3552-4-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3552-5-0x000000000040D560-mapping.dmp
-
memory/3552-7-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3552-8-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3960-0-0x0000000000000000-mapping.dmp