icexloader | 4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60

Analysis

Target

4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60.exe
Size

347KB
MD5

23eabf874151ed5d663e84bc12631f9e
SHA1

fe8658bf4207335dbd53edcb3c5ea9b15414fbac
SHA256

4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60
SHA512

c6c4197755cad3315a7868c28e50ef44ae29fd6e7aeb41b69fa5f072c69149e09a56adfe0ca1c5c5cf232491ea0ea02c1d9dd5090b3d88fde5c7a05e65c8f6c9

Score

10^/10

icexloader loader

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1484	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 1888	360	4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60.exe	28
PID 360 wrote to memory of 1888	360	4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60.exe	28
PID 360 wrote to memory of 1888	360	4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60.exe	28
PID 360 wrote to memory of 1888	360	4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60.exe	28
PID 1888 wrote to memory of 1484	1888	cmd.exe	30
PID 1888 wrote to memory of 1484	1888	cmd.exe	30
PID 1888 wrote to memory of 1484	1888	cmd.exe	30
PID 1888 wrote to memory of 1484	1888	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60.exe
"C:\Users\Admin\AppData\Local\Temp\4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1484

C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
237B

MD5
2a3a80629926e8af2f9c970639634f55

SHA1
cfc4917692f475460a5123eb91708938d4c6a374

SHA256
36993488710fb210986d284dc81d4e65012632e06834aaef8fb3363fcd9bfb04

SHA512
827605494cff53966048aa9d734f3ab0ea774fd84885797a7ab24a6bda23827a98a3079eb9a2cf2e7ae27d0d86407a4f990d5a2862b791b4c16059cf74233dee

Download Submit
memory/360-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1484-59-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download
memory/1484-60-0x0000000073A20000-0x0000000073FCB000-memory.dmp

Filesize
5.7MB

Download