icexloader | 6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

Analysis

max time kernel
155s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-06-2022 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Size

348KB
MD5

0075306f5fda6d70684ecd0f29a61f2e
SHA1

4e9d843f432c27434898864258d53787c7b207f9
SHA256

6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794
SHA512

a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

Detects IceXLoader v3.0 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000000038-135.dat	family_icexloader_v3
behavioral2/files/0x000b000000000038-136.dat	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Executes dropped EXE 1 IoCs

pid	Process
3880	EGe.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EGe.exe	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EGe = "\"C:\\Users\\Admin\\AppData\\Roaming\\EGe.exe\""	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EGe = "\"C:\\Users\\Admin\\AppData\\Roaming\\EGe.exe\""	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4820	timeout.exe
2664	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3580	powershell.exe
3580	powershell.exe
3536	powershell.exe
3536	powershell.exe
5056	powershell.exe
5056	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 2428	1828	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	80
PID 1828 wrote to memory of 2428	1828	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	80
PID 1828 wrote to memory of 2428	1828	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	80
PID 1828 wrote to memory of 2888	1828	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	81
PID 1828 wrote to memory of 2888	1828	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	81
PID 1828 wrote to memory of 2888	1828	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	81
PID 2428 wrote to memory of 4820	2428	cmd.exe	84
PID 2428 wrote to memory of 4820	2428	cmd.exe	84
PID 2428 wrote to memory of 4820	2428	cmd.exe	84
PID 2888 wrote to memory of 2664	2888	cmd.exe	85
PID 2888 wrote to memory of 2664	2888	cmd.exe	85
PID 2888 wrote to memory of 2664	2888	cmd.exe	85
PID 2428 wrote to memory of 3880	2428	cmd.exe	86
PID 2428 wrote to memory of 3880	2428	cmd.exe	86
PID 2428 wrote to memory of 3880	2428	cmd.exe	86
PID 3880 wrote to memory of 3468	3880	EGe.exe	87
PID 3880 wrote to memory of 3468	3880	EGe.exe	87
PID 3880 wrote to memory of 3468	3880	EGe.exe	87
PID 3468 wrote to memory of 3580	3468	cmd.exe	89
PID 3468 wrote to memory of 3580	3468	cmd.exe	89
PID 3468 wrote to memory of 3580	3468	cmd.exe	89
PID 3468 wrote to memory of 3536	3468	cmd.exe	91
PID 3468 wrote to memory of 3536	3468	cmd.exe	91
PID 3468 wrote to memory of 3536	3468	cmd.exe	91
PID 3468 wrote to memory of 5056	3468	cmd.exe	92
PID 3468 wrote to memory of 5056	3468	cmd.exe	92
PID 3468 wrote to memory of 5056	3468	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
"C:\Users\Admin\AppData\Local\Temp\6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c timeout 2 & "C:\Users\Admin\AppData\Roaming\EGe.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:4820
- - C:\Users\Admin\AppData\Roaming\EGe.exe
    "C:\Users\Admin\AppData\Roaming\EGe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\EGe\.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c timeout 1 & del /F "C:\Users\Admin\AppData\Local\Temp\6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a19322492b756a9ae41a3437b5eb12f7

SHA1
cd0603dcd1fc917f84ffca7f86e58ed9274c17d5

SHA256
0e3df1acbc083f5eb8cca52dfc81309db3e83eaed2cb1e9f7a572482edbff37b

SHA512
c3b6a73f9b2d92423fa427e081ce2dcff81162557c270a2a0c5faf271c8a19a47de9c8a0d7a284684e33456ca7b7017a9bd8254814493443dd8ce8126dd7fe9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
296174ceb70afb378f19d6ebc88f33a5

SHA1
cfbd5e7793b9167a7f3fc9c339221ed4994063a5

SHA256
70adac0ea0b25eeebf18263c40a820f21451025d22c2f9ceea81ddde2fe74043

SHA512
ab065c96846de14f9e65b08ca5250539dcd015f46e7e8d3e72632b50a9d8ca32008de339c776f8c1ff3d8dd087f6f638346171175ad2a90c70990787c40787e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
237B

MD5
92f81be29f73852cd4b4c90c05587137

SHA1
99fc680c6e41734b0d79d957dc124ef272d04241

SHA256
f8242358557a69f6a079a5c1b2c821b2429740ac51a11643949a237f027bf133

SHA512
a1bc282b8da2794fa0f1de1f102867bf9baca8d0bf28546757a4c42b1f24ac31f1b5b0f7c3756dadd9802d58f4da7312e0ce992c17079e7f418060c14b472481

Download Submit
C:\Users\Admin\AppData\Roaming\EGe.exe

Filesize
348KB

MD5
0075306f5fda6d70684ecd0f29a61f2e

SHA1
4e9d843f432c27434898864258d53787c7b207f9

SHA256
6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

SHA512
a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Download Submit
C:\Users\Admin\AppData\Roaming\EGe.exe

Filesize
348KB

MD5
0075306f5fda6d70684ecd0f29a61f2e

SHA1
4e9d843f432c27434898864258d53787c7b207f9

SHA256
6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

SHA512
a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Download Submit
memory/3536-159-0x0000000070F80000-0x0000000070FCC000-memory.dmp

Filesize
304KB

Download
memory/3580-146-0x0000000006D00000-0x0000000006D32000-memory.dmp

Filesize
200KB

Download
memory/3580-153-0x0000000007C90000-0x0000000007C9E000-memory.dmp

Filesize
56KB

Download
memory/3580-144-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/3580-145-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/3580-142-0x0000000005970000-0x0000000005992000-memory.dmp

Filesize
136KB

Download
memory/3580-147-0x0000000070880000-0x00000000708CC000-memory.dmp

Filesize
304KB

Download
memory/3580-148-0x0000000006CE0000-0x0000000006CFE000-memory.dmp

Filesize
120KB

Download
memory/3580-149-0x00000000080C0000-0x000000000873A000-memory.dmp

Filesize
6.5MB

Download
memory/3580-150-0x0000000005440000-0x000000000545A000-memory.dmp

Filesize
104KB

Download
memory/3580-151-0x0000000007AB0000-0x0000000007ABA000-memory.dmp

Filesize
40KB

Download
memory/3580-152-0x0000000007CE0000-0x0000000007D76000-memory.dmp

Filesize
600KB

Download
memory/3580-143-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/3580-154-0x0000000007D80000-0x0000000007D9A000-memory.dmp

Filesize
104KB

Download
memory/3580-155-0x0000000007CD0000-0x0000000007CD8000-memory.dmp

Filesize
32KB

Download
memory/3580-141-0x00000000059B0000-0x0000000005FD8000-memory.dmp

Filesize
6.2MB

Download
memory/3580-140-0x00000000030C0000-0x00000000030F6000-memory.dmp

Filesize
216KB

Download
memory/5056-162-0x0000000070DC0000-0x0000000070E0C000-memory.dmp

Filesize
304KB

Download