icexloader | 6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

General

Target

6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Size

348KB
MD5

0075306f5fda6d70684ecd0f29a61f2e
SHA1

4e9d843f432c27434898864258d53787c7b207f9
SHA256

6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794
SHA512

a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

Detects IceXLoader v3.0 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\EGe.exe	family_icexloader_v3
C:\Users\Admin\AppData\Roaming\EGe.exe	family_icexloader_v3
\Users\Admin\AppData\Roaming\EGe.exe	family_icexloader_v3
C:\Users\Admin\AppData\Roaming\EGe.exe	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader
Executes dropped EXE 1 IoCs

Processes:

EGe.exe

pid process

2040 EGe.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1716 cmd.exe

pid	process
2040	EGe.exe

pid	process
1716	cmd.exe

Drops startup file 1 IoCs

Processes:

6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EGe.exe	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1704 cmd.exe
1704 cmd.exe

pid	process
1704	cmd.exe
1704	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\EGe = "\"C:\\Users\\Admin\\AppData\\Roaming\\EGe.exe\""	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGe = "\"C:\\Users\\Admin\\AppData\\Roaming\\EGe.exe\""	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1296 timeout.exe
2020 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

928 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 928 powershell.exe

pid	process
1296	timeout.exe
2020	timeout.exe

pid	process
928	powershell.exe

description	pid	process
Token: SeDebugPrivilege	928	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.execmd.execmd.exeEGe.execmd.exe

description	pid	process	target process
PID 336 wrote to memory of 1704	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	cmd.exe
PID 336 wrote to memory of 1704	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	cmd.exe
PID 336 wrote to memory of 1704	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	cmd.exe
PID 336 wrote to memory of 1704	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	cmd.exe
PID 336 wrote to memory of 1716	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	cmd.exe
PID 336 wrote to memory of 1716	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	cmd.exe
PID 336 wrote to memory of 1716	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	cmd.exe
PID 336 wrote to memory of 1716	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	cmd.exe
PID 1716 wrote to memory of 1296	1716	cmd.exe	timeout.exe
PID 1716 wrote to memory of 1296	1716	cmd.exe	timeout.exe
PID 1716 wrote to memory of 1296	1716	cmd.exe	timeout.exe
PID 1716 wrote to memory of 1296	1716	cmd.exe	timeout.exe
PID 1704 wrote to memory of 2020	1704	cmd.exe	timeout.exe
PID 1704 wrote to memory of 2020	1704	cmd.exe	timeout.exe
PID 1704 wrote to memory of 2020	1704	cmd.exe	timeout.exe
PID 1704 wrote to memory of 2020	1704	cmd.exe	timeout.exe
PID 1704 wrote to memory of 2040	1704	cmd.exe	EGe.exe
PID 1704 wrote to memory of 2040	1704	cmd.exe	EGe.exe
PID 1704 wrote to memory of 2040	1704	cmd.exe	EGe.exe
PID 1704 wrote to memory of 2040	1704	cmd.exe	EGe.exe
PID 2040 wrote to memory of 1808	2040	EGe.exe	cmd.exe
PID 2040 wrote to memory of 1808	2040	EGe.exe	cmd.exe
PID 2040 wrote to memory of 1808	2040	EGe.exe	cmd.exe
PID 2040 wrote to memory of 1808	2040	EGe.exe	cmd.exe
PID 1808 wrote to memory of 928	1808	cmd.exe	powershell.exe
PID 1808 wrote to memory of 928	1808	cmd.exe	powershell.exe
PID 1808 wrote to memory of 928	1808	cmd.exe	powershell.exe
PID 1808 wrote to memory of 928	1808	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
"C:\Users\Admin\AppData\Local\Temp\6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\cmd.exe
cmd /c timeout 2 & "C:\Users\Admin\AppData\Roaming\EGe.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:2020

C:\Users\Admin\AppData\Roaming\EGe.exe
"C:\Users\Admin\AppData\Roaming\EGe.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\SysWOW64\cmd.exe
cmd /c timeout 1 & del /F "C:\Users\Admin\AppData\Local\Temp\6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1296

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file.bat
Filesize
237B

MD5
92f81be29f73852cd4b4c90c05587137

SHA1
99fc680c6e41734b0d79d957dc124ef272d04241

SHA256
f8242358557a69f6a079a5c1b2c821b2429740ac51a11643949a237f027bf133

SHA512
a1bc282b8da2794fa0f1de1f102867bf9baca8d0bf28546757a4c42b1f24ac31f1b5b0f7c3756dadd9802d58f4da7312e0ce992c17079e7f418060c14b472481

Download Submit
C:\Users\Admin\AppData\Roaming\EGe.exe
Filesize
348KB

MD5
0075306f5fda6d70684ecd0f29a61f2e

SHA1
4e9d843f432c27434898864258d53787c7b207f9

SHA256
6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

SHA512
a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Download Submit
C:\Users\Admin\AppData\Roaming\EGe.exe
Filesize
348KB

MD5
0075306f5fda6d70684ecd0f29a61f2e

SHA1
4e9d843f432c27434898864258d53787c7b207f9

SHA256
6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

SHA512
a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Download Submit
\Users\Admin\AppData\Roaming\EGe.exe
Filesize
348KB

MD5
0075306f5fda6d70684ecd0f29a61f2e

SHA1
4e9d843f432c27434898864258d53787c7b207f9

SHA256
6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

SHA512
a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Download Submit
\Users\Admin\AppData\Roaming\EGe.exe
Filesize
348KB

MD5
0075306f5fda6d70684ecd0f29a61f2e

SHA1
4e9d843f432c27434898864258d53787c7b207f9

SHA256
6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

SHA512
a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Download Submit
memory/336-54-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/928-67-0x0000000000000000-mapping.dmp

Download
memory/928-69-0x0000000073D50000-0x00000000742FB000-memory.dmp

Filesize
5.7MB

Download
memory/928-70-0x0000000073D50000-0x00000000742FB000-memory.dmp

Filesize
5.7MB

Download
memory/1296-57-0x0000000000000000-mapping.dmp

Download
memory/1704-55-0x0000000000000000-mapping.dmp

Download
memory/1716-56-0x0000000000000000-mapping.dmp

Download
memory/1808-65-0x0000000000000000-mapping.dmp

Download
memory/2020-58-0x0000000000000000-mapping.dmp

Download
memory/2040-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads