Analysis
-
max time kernel
151s -
max time network
64s -
platform
windows7_x64 -
resource
win7 -
submitted
19-07-2020 19:34
Static task
static1
Behavioral task
behavioral1
Sample
iceix_1.2.5.0.vir.exe
Resource
win7
Behavioral task
behavioral2
Sample
iceix_1.2.5.0.vir.exe
Resource
win10
General
-
Target
iceix_1.2.5.0.vir.exe
-
Size
1.0MB
-
MD5
3b3b888bcc1668fbd561b500e1e78e37
-
SHA1
c958f983cdb6be45d7ad8d6a653ff1516b561e42
-
SHA256
6e57b3151e696198fa799ccdc91d05ecee2462f5adc2ec5cd591b745165106e8
-
SHA512
7117cade23b12e48b55b04c732027846e2f3d6450870fd413e93e665b7d29394287ca5a4871c00ad8c078a74a3eec341a38c2ba161e3274202c60380e6250f88
Malware Config
Signatures
-
Loads dropped DLL 6 IoCs
Processes:
iceix_1.2.5.0.vir.exeiceix_1.2.5.0.vir.exeasviohu.exepid process 1140 iceix_1.2.5.0.vir.exe 1140 iceix_1.2.5.0.vir.exe 1420 iceix_1.2.5.0.vir.exe 1420 iceix_1.2.5.0.vir.exe 304 asviohu.exe 304 asviohu.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
iceix_1.2.5.0.vir.exeasviohu.exeMBAXG.exeMBAXG.exedescription pid process target process PID 1140 set thread context of 1420 1140 iceix_1.2.5.0.vir.exe iceix_1.2.5.0.vir.exe PID 304 set thread context of 1724 304 asviohu.exe asviohu.exe PID 1328 set thread context of 1888 1328 MBAXG.exe cmd.exe PID 1528 set thread context of 1956 1528 MBAXG.exe cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
asviohu.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\Currentversion\Run asviohu.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\{0CDF97C3-E747-4D4C-16F1-DD75F1BED301} = "C:\\Users\\Admin\\AppData\\Roaming\\Qyiceb\\asviohu.exe" asviohu.exe -
Suspicious use of WriteProcessMemory 109 IoCs
Processes:
iceix_1.2.5.0.vir.exeiceix_1.2.5.0.vir.execmd.exeasviohu.exeasviohu.exeMBAXG.exedescription pid process target process PID 1140 wrote to memory of 1328 1140 iceix_1.2.5.0.vir.exe MBAXG.exe PID 1140 wrote to memory of 1328 1140 iceix_1.2.5.0.vir.exe MBAXG.exe PID 1140 wrote to memory of 1328 1140 iceix_1.2.5.0.vir.exe MBAXG.exe PID 1140 wrote to memory of 1328 1140 iceix_1.2.5.0.vir.exe MBAXG.exe PID 1140 wrote to memory of 1420 1140 iceix_1.2.5.0.vir.exe iceix_1.2.5.0.vir.exe PID 1140 wrote to memory of 1420 1140 iceix_1.2.5.0.vir.exe iceix_1.2.5.0.vir.exe PID 1140 wrote to memory of 1420 1140 iceix_1.2.5.0.vir.exe iceix_1.2.5.0.vir.exe PID 1140 wrote to memory of 1420 1140 iceix_1.2.5.0.vir.exe iceix_1.2.5.0.vir.exe PID 1140 wrote to memory of 1420 1140 iceix_1.2.5.0.vir.exe iceix_1.2.5.0.vir.exe PID 1140 wrote to memory of 1420 1140 iceix_1.2.5.0.vir.exe iceix_1.2.5.0.vir.exe PID 1420 wrote to memory of 1600 1420 iceix_1.2.5.0.vir.exe cmd.exe PID 1420 wrote to memory of 1600 1420 iceix_1.2.5.0.vir.exe cmd.exe PID 1420 wrote to memory of 1600 1420 iceix_1.2.5.0.vir.exe cmd.exe PID 1420 wrote to memory of 1600 1420 iceix_1.2.5.0.vir.exe cmd.exe PID 1420 wrote to memory of 304 1420 iceix_1.2.5.0.vir.exe asviohu.exe PID 1420 wrote to memory of 304 1420 iceix_1.2.5.0.vir.exe asviohu.exe PID 1420 wrote to memory of 304 1420 iceix_1.2.5.0.vir.exe asviohu.exe PID 1420 wrote to memory of 304 1420 iceix_1.2.5.0.vir.exe asviohu.exe PID 1600 wrote to memory of 640 1600 cmd.exe netsh.exe PID 1600 wrote to memory of 640 1600 cmd.exe netsh.exe PID 1600 wrote to memory of 640 1600 cmd.exe netsh.exe PID 1600 wrote to memory of 640 1600 cmd.exe netsh.exe PID 304 wrote to memory of 1528 304 asviohu.exe MBAXG.exe PID 304 wrote to memory of 1528 304 asviohu.exe MBAXG.exe PID 304 wrote to memory of 1528 304 asviohu.exe MBAXG.exe PID 304 wrote to memory of 1528 304 asviohu.exe MBAXG.exe PID 304 wrote to memory of 1724 304 asviohu.exe asviohu.exe PID 304 wrote to memory of 1724 304 asviohu.exe asviohu.exe PID 304 wrote to memory of 1724 304 asviohu.exe asviohu.exe PID 304 wrote to memory of 1724 304 asviohu.exe asviohu.exe PID 304 wrote to memory of 1724 304 asviohu.exe asviohu.exe PID 304 wrote to memory of 1724 304 asviohu.exe asviohu.exe PID 1420 wrote to memory of 1852 1420 iceix_1.2.5.0.vir.exe cmd.exe PID 1420 wrote to memory of 1852 1420 iceix_1.2.5.0.vir.exe cmd.exe PID 1420 wrote to memory of 1852 1420 iceix_1.2.5.0.vir.exe cmd.exe PID 1420 wrote to memory of 1852 1420 iceix_1.2.5.0.vir.exe cmd.exe PID 1724 wrote to memory of 1148 1724 asviohu.exe taskhost.exe PID 1724 wrote to memory of 1148 1724 asviohu.exe taskhost.exe PID 1724 wrote to memory of 1148 1724 asviohu.exe taskhost.exe PID 1724 wrote to memory of 1148 1724 asviohu.exe taskhost.exe PID 1724 wrote to memory of 1148 1724 asviohu.exe taskhost.exe PID 1724 wrote to memory of 1264 1724 asviohu.exe Dwm.exe PID 1724 wrote to memory of 1264 1724 asviohu.exe Dwm.exe PID 1724 wrote to memory of 1264 1724 asviohu.exe Dwm.exe PID 1724 wrote to memory of 1264 1724 asviohu.exe Dwm.exe PID 1724 wrote to memory of 1264 1724 asviohu.exe Dwm.exe PID 1724 wrote to memory of 1308 1724 asviohu.exe Explorer.EXE PID 1724 wrote to memory of 1308 1724 asviohu.exe Explorer.EXE PID 1724 wrote to memory of 1308 1724 asviohu.exe Explorer.EXE PID 1724 wrote to memory of 1308 1724 asviohu.exe Explorer.EXE PID 1724 wrote to memory of 1308 1724 asviohu.exe Explorer.EXE PID 1724 wrote to memory of 1328 1724 asviohu.exe MBAXG.exe PID 1724 wrote to memory of 1328 1724 asviohu.exe MBAXG.exe PID 1724 wrote to memory of 1328 1724 asviohu.exe MBAXG.exe PID 1724 wrote to memory of 1328 1724 asviohu.exe MBAXG.exe PID 1724 wrote to memory of 1328 1724 asviohu.exe MBAXG.exe PID 1328 wrote to memory of 1888 1328 MBAXG.exe cmd.exe PID 1328 wrote to memory of 1888 1328 MBAXG.exe cmd.exe PID 1328 wrote to memory of 1888 1328 MBAXG.exe cmd.exe PID 1328 wrote to memory of 1888 1328 MBAXG.exe cmd.exe PID 1328 wrote to memory of 1888 1328 MBAXG.exe cmd.exe PID 1328 wrote to memory of 1888 1328 MBAXG.exe cmd.exe PID 1328 wrote to memory of 1888 1328 MBAXG.exe cmd.exe PID 1328 wrote to memory of 1888 1328 MBAXG.exe cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WinMail.exepid process 1540 WinMail.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe -
NTFS ADS 1 IoCs
Processes:
WinMail.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0F5C13E9-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
asviohu.exepid process 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe 1724 asviohu.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1852 cmd.exe -
Processes:
MBAXG.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy MBAXG.exe Set value (int) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" MBAXG.exe -
Executes dropped EXE 4 IoCs
Processes:
MBAXG.exeasviohu.exeMBAXG.exeasviohu.exepid process 1328 MBAXG.exe 304 asviohu.exe 1528 MBAXG.exe 1724 asviohu.exe -
Suspicious use of AdjustPrivilegeToken 72 IoCs
Processes:
iceix_1.2.5.0.vir.exeMBAXG.exeMBAXG.exedescription pid process Token: SeSecurityPrivilege 1420 iceix_1.2.5.0.vir.exe Token: SeImpersonatePrivilege 1328 MBAXG.exe Token: SeTcbPrivilege 1328 MBAXG.exe Token: SeChangeNotifyPrivilege 1328 MBAXG.exe Token: SeCreateTokenPrivilege 1328 MBAXG.exe Token: SeBackupPrivilege 1328 MBAXG.exe Token: SeRestorePrivilege 1328 MBAXG.exe Token: SeIncreaseQuotaPrivilege 1328 MBAXG.exe Token: SeAssignPrimaryTokenPrivilege 1328 MBAXG.exe Token: SeImpersonatePrivilege 1528 MBAXG.exe Token: SeTcbPrivilege 1528 MBAXG.exe Token: SeChangeNotifyPrivilege 1528 MBAXG.exe Token: SeCreateTokenPrivilege 1528 MBAXG.exe Token: SeBackupPrivilege 1528 MBAXG.exe Token: SeRestorePrivilege 1528 MBAXG.exe Token: SeIncreaseQuotaPrivilege 1528 MBAXG.exe Token: SeAssignPrimaryTokenPrivilege 1528 MBAXG.exe Token: SeSecurityPrivilege 1328 MBAXG.exe Token: SeSecurityPrivilege 1328 MBAXG.exe Token: SeImpersonatePrivilege 1528 MBAXG.exe Token: SeTcbPrivilege 1528 MBAXG.exe Token: SeChangeNotifyPrivilege 1528 MBAXG.exe Token: SeCreateTokenPrivilege 1528 MBAXG.exe Token: SeBackupPrivilege 1528 MBAXG.exe Token: SeRestorePrivilege 1528 MBAXG.exe Token: SeIncreaseQuotaPrivilege 1528 MBAXG.exe Token: SeAssignPrimaryTokenPrivilege 1528 MBAXG.exe Token: SeImpersonatePrivilege 1328 MBAXG.exe Token: SeTcbPrivilege 1328 MBAXG.exe Token: SeChangeNotifyPrivilege 1328 MBAXG.exe Token: SeCreateTokenPrivilege 1328 MBAXG.exe Token: SeBackupPrivilege 1328 MBAXG.exe Token: SeRestorePrivilege 1328 MBAXG.exe Token: SeIncreaseQuotaPrivilege 1328 MBAXG.exe Token: SeAssignPrimaryTokenPrivilege 1328 MBAXG.exe Token: SeImpersonatePrivilege 1328 MBAXG.exe Token: SeTcbPrivilege 1328 MBAXG.exe Token: SeChangeNotifyPrivilege 1328 MBAXG.exe Token: SeCreateTokenPrivilege 1328 MBAXG.exe Token: SeBackupPrivilege 1328 MBAXG.exe Token: SeRestorePrivilege 1328 MBAXG.exe Token: SeIncreaseQuotaPrivilege 1328 MBAXG.exe Token: SeAssignPrimaryTokenPrivilege 1328 MBAXG.exe Token: SeImpersonatePrivilege 1328 MBAXG.exe Token: SeTcbPrivilege 1328 MBAXG.exe Token: SeChangeNotifyPrivilege 1328 MBAXG.exe Token: SeCreateTokenPrivilege 1328 MBAXG.exe Token: SeBackupPrivilege 1328 MBAXG.exe Token: SeRestorePrivilege 1328 MBAXG.exe Token: SeIncreaseQuotaPrivilege 1328 MBAXG.exe Token: SeAssignPrimaryTokenPrivilege 1328 MBAXG.exe Token: SeImpersonatePrivilege 1528 MBAXG.exe Token: SeTcbPrivilege 1528 MBAXG.exe Token: SeChangeNotifyPrivilege 1528 MBAXG.exe Token: SeCreateTokenPrivilege 1528 MBAXG.exe Token: SeBackupPrivilege 1528 MBAXG.exe Token: SeRestorePrivilege 1528 MBAXG.exe Token: SeIncreaseQuotaPrivilege 1528 MBAXG.exe Token: SeAssignPrimaryTokenPrivilege 1528 MBAXG.exe Token: SeImpersonatePrivilege 1528 MBAXG.exe Token: SeTcbPrivilege 1528 MBAXG.exe Token: SeChangeNotifyPrivilege 1528 MBAXG.exe Token: SeCreateTokenPrivilege 1528 MBAXG.exe Token: SeBackupPrivilege 1528 MBAXG.exe -
Modifies Windows Firewall 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\iceix_1.2.5.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\iceix_1.2.5.0.vir.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MBAXG.exe"C:\Users\Admin\AppData\Local\Temp\MBAXG.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\74724.bat" "C:\Users\Admin\AppData\Local\Temp\MBAXG.exe" "4⤵
-
C:\Users\Admin\AppData\Local\Temp\iceix_1.2.5.0.vir.exe"C:\Users\Admin\AppData\Local\Temp\iceix_1.2.5.0.vir.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4c1f8b0e.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe"5⤵
- Modifies service
-
C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe"C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe"4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\MBAXG.exe"C:\Users\Admin\AppData\Local\Temp\MBAXG.exe"5⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\75114.bat" "C:\Users\Admin\AppData\Local\Temp\MBAXG.exe" "6⤵
-
C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe"C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe"5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfc65a84c.bat"4⤵
- Deletes itself
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- NTFS ADS
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-19798759631075434944-15418545151504883715-188750250113054051191873933435-57240694"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-237386827-1661159246-1444523898-5403431271605636964297507131005161905-1809778242"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\74724.bat
-
C:\Users\Admin\AppData\Local\Temp\75114.bat
-
C:\Users\Admin\AppData\Local\Temp\MBAXG.exe
-
C:\Users\Admin\AppData\Local\Temp\MBAXG.exe
-
C:\Users\Admin\AppData\Local\Temp\MBAXG.exe
-
C:\Users\Admin\AppData\Local\Temp\tmp4c1f8b0e.bat
-
C:\Users\Admin\AppData\Local\Temp\tmpfc65a84c.bat
-
C:\Users\Admin\AppData\Roaming\Fiotby\kuehpor.dav
-
C:\Users\Admin\AppData\Roaming\Fiotby\kuehpor.dav
-
C:\Users\Admin\AppData\Roaming\Fiotby\kuehpor.dav
-
C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe
-
C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe
-
C:\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe
-
\Users\Admin\AppData\Local\Temp\MBAXG.exe
-
\Users\Admin\AppData\Local\Temp\MBAXG.exe
-
\Users\Admin\AppData\Local\Temp\MBAXG.exe
-
\Users\Admin\AppData\Local\Temp\MBAXG.exe
-
\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe
-
\Users\Admin\AppData\Roaming\Qyiceb\asviohu.exe
-
memory/304-10-0x0000000000000000-mapping.dmp
-
memory/640-13-0x0000000000000000-mapping.dmp
-
memory/1328-25-0x0000000000000000-mapping.dmp
-
memory/1328-2-0x0000000000000000-mapping.dmp
-
memory/1420-5-0x000000000040E0F1-mapping.dmp
-
memory/1420-6-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/1420-4-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/1528-32-0x0000000000000000-mapping.dmp
-
memory/1528-17-0x0000000000000000-mapping.dmp
-
memory/1540-46-0x0000000003AF0000-0x0000000003AF2000-memory.dmpFilesize
8KB
-
memory/1540-31-0x0000000003880000-0x0000000003A80000-memory.dmpFilesize
2.0MB
-
memory/1540-29-0x0000000003880000-0x0000000003980000-memory.dmpFilesize
1024KB
-
memory/1540-45-0x0000000003AD0000-0x0000000003AD2000-memory.dmpFilesize
8KB
-
memory/1540-37-0x0000000003880000-0x0000000003980000-memory.dmpFilesize
1024KB
-
memory/1540-47-0x0000000003AE0000-0x0000000003AE2000-memory.dmpFilesize
8KB
-
memory/1540-41-0x0000000003980000-0x0000000003A80000-memory.dmpFilesize
1024KB
-
memory/1540-39-0x0000000003880000-0x0000000003A80000-memory.dmpFilesize
2.0MB
-
memory/1600-7-0x0000000000000000-mapping.dmp
-
memory/1724-21-0x000000000040E0F1-mapping.dmp
-
memory/1852-24-0x0000000000000000-mapping.dmp
-
memory/1888-28-0x000000000005DD63-mapping.dmp
-
memory/1888-27-0x0000000000050000-0x0000000000077000-memory.dmpFilesize
156KB
-
memory/1956-36-0x000000000005DD63-mapping.dmp
-
memory/1956-35-0x0000000000050000-0x0000000000077000-memory.dmpFilesize
156KB