icexloader | 4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60

General

Target

4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60.exe
Size

347KB
MD5

23eabf874151ed5d663e84bc12631f9e
SHA1

fe8658bf4207335dbd53edcb3c5ea9b15414fbac
SHA256

4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60
SHA512

c6c4197755cad3315a7868c28e50ef44ae29fd6e7aeb41b69fa5f072c69149e09a56adfe0ca1c5c5cf232491ea0ea02c1d9dd5090b3d88fde5c7a05e65c8f6c9

Score

10^/10

icexloader loader

Malware Config

Signatures

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1764	powershell.exe
1764	powershell.exe
4592	powershell.exe
4592	powershell.exe
1568	powershell.exe
1568	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 2340	4608	4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60.exe	82
PID 4608 wrote to memory of 2340	4608	4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60.exe	82
PID 4608 wrote to memory of 2340	4608	4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60.exe	82
PID 2340 wrote to memory of 1764	2340	cmd.exe	84
PID 2340 wrote to memory of 1764	2340	cmd.exe	84
PID 2340 wrote to memory of 1764	2340	cmd.exe	84
PID 2340 wrote to memory of 4592	2340	cmd.exe	85
PID 2340 wrote to memory of 4592	2340	cmd.exe	85
PID 2340 wrote to memory of 4592	2340	cmd.exe	85
PID 2340 wrote to memory of 1568	2340	cmd.exe	86
PID 2340 wrote to memory of 1568	2340	cmd.exe	86
PID 2340 wrote to memory of 1568	2340	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60.exe
"C:\Users\Admin\AppData\Local\Temp\4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\inN\.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ce8355d1f79e725aa3c9e7d2dd5f6e3e

SHA1
3da4c966ce15385c4e58d65cf4750f04c10331c5

SHA256
3deb70127b6a8b17445649680acb987ea8902390e8dc2f072a76d36c170963d2

SHA512
0e08dd20b1271c2388ff9505647613176627093f51e4d58de6ab5907b5e24a552a4c7edde9292242915bd1abb86c923e245fba7018e07d29b7fe869d32197e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3d150fd59637e23f522ac628179aad5a

SHA1
88c725222e50d961a5aa18fe45d7db03d49b4041

SHA256
9745112b1429d159099c2b70b258390153ad48ba0fcea4e2159944aa9b529bf3

SHA512
6f00b65255e6d395480718668aea6fa0b34195fadb2491ba7cb7ccef8a6e36cf535f0e0c0c35f2973c4c10f7cafa77315db81043eb196175baf65e0ea42661dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
237B

MD5
2a3a80629926e8af2f9c970639634f55

SHA1
cfc4917692f475460a5123eb91708938d4c6a374

SHA256
36993488710fb210986d284dc81d4e65012632e06834aaef8fb3363fcd9bfb04

SHA512
827605494cff53966048aa9d734f3ab0ea774fd84885797a7ab24a6bda23827a98a3079eb9a2cf2e7ae27d0d86407a4f990d5a2862b791b4c16059cf74233dee

Download Submit
memory/1568-155-0x00000000712C0000-0x000000007130C000-memory.dmp

Filesize
304KB

Download
memory/1764-142-0x00000000080D0000-0x000000000874A000-memory.dmp

Filesize
6.5MB

Download
memory/1764-145-0x0000000007D20000-0x0000000007DB6000-memory.dmp

Filesize
600KB

Download
memory/1764-138-0x0000000006780000-0x000000000679E000-memory.dmp

Filesize
120KB

Download
memory/1764-139-0x0000000006D40000-0x0000000006D72000-memory.dmp

Filesize
200KB

Download
memory/1764-140-0x0000000070C30000-0x0000000070C7C000-memory.dmp

Filesize
304KB

Download
memory/1764-141-0x0000000006D20000-0x0000000006D3E000-memory.dmp

Filesize
120KB

Download
memory/1764-143-0x0000000007A80000-0x0000000007A9A000-memory.dmp

Filesize
104KB

Download
memory/1764-144-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

Filesize
40KB

Download
memory/1764-137-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/1764-146-0x0000000007CD0000-0x0000000007CDE000-memory.dmp

Filesize
56KB

Download
memory/1764-147-0x0000000007DC0000-0x0000000007DDA000-memory.dmp

Filesize
104KB

Download
memory/1764-148-0x0000000007D10000-0x0000000007D18000-memory.dmp

Filesize
32KB

Download
memory/1764-133-0x00000000031D0000-0x0000000003206000-memory.dmp

Filesize
216KB

Download
memory/1764-136-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/1764-135-0x00000000058B0000-0x00000000058D2000-memory.dmp

Filesize
136KB

Download
memory/1764-134-0x0000000005910000-0x0000000005F38000-memory.dmp

Filesize
6.2MB

Download
memory/4592-152-0x00000000712C0000-0x000000007130C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads