icexloader | 6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

Analysis

max time kernel
41s
max time network
44s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-06-2022 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Size

348KB
MD5

0075306f5fda6d70684ecd0f29a61f2e
SHA1

4e9d843f432c27434898864258d53787c7b207f9
SHA256

6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794
SHA512

a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

Detects IceXLoader v3.0 4 IoCs

resource	yara_rule
behavioral1/files/0x000a000000003c9f-59.dat	family_icexloader_v3
behavioral1/files/0x000a000000003c9f-60.dat	family_icexloader_v3
behavioral1/files/0x000a000000003c9f-61.dat	family_icexloader_v3
behavioral1/files/0x000a000000003c9f-63.dat	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Executes dropped EXE 1 IoCs

pid	Process
2040	EGe.exe

Deletes itself 1 IoCs

pid	Process
1716	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EGe.exe	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe

Loads dropped DLL 2 IoCs

pid	Process
1704	cmd.exe
1704	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\EGe = "\"C:\\Users\\Admin\\AppData\\Roaming\\EGe.exe\""	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGe = "\"C:\\Users\\Admin\\AppData\\Roaming\\EGe.exe\""	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1296	timeout.exe
2020	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
928	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	928	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 1704	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	28
PID 336 wrote to memory of 1704	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	28
PID 336 wrote to memory of 1704	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	28
PID 336 wrote to memory of 1704	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	28
PID 336 wrote to memory of 1716	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	29
PID 336 wrote to memory of 1716	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	29
PID 336 wrote to memory of 1716	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	29
PID 336 wrote to memory of 1716	336	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	29
PID 1716 wrote to memory of 1296	1716	cmd.exe	32
PID 1716 wrote to memory of 1296	1716	cmd.exe	32
PID 1716 wrote to memory of 1296	1716	cmd.exe	32
PID 1716 wrote to memory of 1296	1716	cmd.exe	32
PID 1704 wrote to memory of 2020	1704	cmd.exe	33
PID 1704 wrote to memory of 2020	1704	cmd.exe	33
PID 1704 wrote to memory of 2020	1704	cmd.exe	33
PID 1704 wrote to memory of 2020	1704	cmd.exe	33
PID 1704 wrote to memory of 2040	1704	cmd.exe	34
PID 1704 wrote to memory of 2040	1704	cmd.exe	34
PID 1704 wrote to memory of 2040	1704	cmd.exe	34
PID 1704 wrote to memory of 2040	1704	cmd.exe	34
PID 2040 wrote to memory of 1808	2040	EGe.exe	35
PID 2040 wrote to memory of 1808	2040	EGe.exe	35
PID 2040 wrote to memory of 1808	2040	EGe.exe	35
PID 2040 wrote to memory of 1808	2040	EGe.exe	35
PID 1808 wrote to memory of 928	1808	cmd.exe	37
PID 1808 wrote to memory of 928	1808	cmd.exe	37
PID 1808 wrote to memory of 928	1808	cmd.exe	37
PID 1808 wrote to memory of 928	1808	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
"C:\Users\Admin\AppData\Local\Temp\6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c timeout 2 & "C:\Users\Admin\AppData\Roaming\EGe.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:2020
- - C:\Users\Admin\AppData\Roaming\EGe.exe
    "C:\Users\Admin\AppData\Roaming\EGe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c timeout 1 & del /F "C:\Users\Admin\AppData\Local\Temp\6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
237B

MD5
92f81be29f73852cd4b4c90c05587137

SHA1
99fc680c6e41734b0d79d957dc124ef272d04241

SHA256
f8242358557a69f6a079a5c1b2c821b2429740ac51a11643949a237f027bf133

SHA512
a1bc282b8da2794fa0f1de1f102867bf9baca8d0bf28546757a4c42b1f24ac31f1b5b0f7c3756dadd9802d58f4da7312e0ce992c17079e7f418060c14b472481

Download Submit
C:\Users\Admin\AppData\Roaming\EGe.exe

Filesize
348KB

MD5
0075306f5fda6d70684ecd0f29a61f2e

SHA1
4e9d843f432c27434898864258d53787c7b207f9

SHA256
6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

SHA512
a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Download Submit
C:\Users\Admin\AppData\Roaming\EGe.exe

Filesize
348KB

MD5
0075306f5fda6d70684ecd0f29a61f2e

SHA1
4e9d843f432c27434898864258d53787c7b207f9

SHA256
6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

SHA512
a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Download Submit
\Users\Admin\AppData\Roaming\EGe.exe

Filesize
348KB

MD5
0075306f5fda6d70684ecd0f29a61f2e

SHA1
4e9d843f432c27434898864258d53787c7b207f9

SHA256
6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

SHA512
a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Download Submit
\Users\Admin\AppData\Roaming\EGe.exe

Filesize
348KB

MD5
0075306f5fda6d70684ecd0f29a61f2e

SHA1
4e9d843f432c27434898864258d53787c7b207f9

SHA256
6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

SHA512
a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Download Submit
memory/336-54-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/928-69-0x0000000073D50000-0x00000000742FB000-memory.dmp

Filesize
5.7MB

Download
memory/928-70-0x0000000073D50000-0x00000000742FB000-memory.dmp

Filesize
5.7MB

Download