icexloader | 6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

General

Target

6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Size

348KB
MD5

0075306f5fda6d70684ecd0f29a61f2e
SHA1

4e9d843f432c27434898864258d53787c7b207f9
SHA256

6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794
SHA512

a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

Detects IceXLoader v3.0 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\EGe.exe	family_icexloader_v3
C:\Users\Admin\AppData\Roaming\EGe.exe	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader
Executes dropped EXE 1 IoCs

Processes:

EGe.exe

pid process

3880 EGe.exe

pid	process
3880	EGe.exe

Drops startup file 1 IoCs

Processes:

6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EGe.exe	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EGe = "\"C:\\Users\\Admin\\AppData\\Roaming\\EGe.exe\""	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EGe = "\"C:\\Users\\Admin\\AppData\\Roaming\\EGe.exe\""	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4820 timeout.exe
2664 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3580 powershell.exe
3580 powershell.exe
3536 powershell.exe
3536 powershell.exe
5056 powershell.exe
5056 powershell.exe

pid	process
4820	timeout.exe
2664	timeout.exe

pid	process
3580	powershell.exe
3580	powershell.exe
3536	powershell.exe
3536	powershell.exe
5056	powershell.exe
5056	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exeEGe.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeRemoteShutdownPrivilege	3880	EGe.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.execmd.execmd.exeEGe.execmd.exe

description	pid	process	target process
PID 1828 wrote to memory of 2428	1828	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	cmd.exe
PID 1828 wrote to memory of 2428	1828	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	cmd.exe
PID 1828 wrote to memory of 2428	1828	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	cmd.exe
PID 1828 wrote to memory of 2888	1828	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	cmd.exe
PID 1828 wrote to memory of 2888	1828	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	cmd.exe
PID 1828 wrote to memory of 2888	1828	6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe	cmd.exe
PID 2428 wrote to memory of 4820	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 4820	2428	cmd.exe	timeout.exe
PID 2428 wrote to memory of 4820	2428	cmd.exe	timeout.exe
PID 2888 wrote to memory of 2664	2888	cmd.exe	timeout.exe
PID 2888 wrote to memory of 2664	2888	cmd.exe	timeout.exe
PID 2888 wrote to memory of 2664	2888	cmd.exe	timeout.exe
PID 2428 wrote to memory of 3880	2428	cmd.exe	EGe.exe
PID 2428 wrote to memory of 3880	2428	cmd.exe	EGe.exe
PID 2428 wrote to memory of 3880	2428	cmd.exe	EGe.exe
PID 3880 wrote to memory of 3468	3880	EGe.exe	cmd.exe
PID 3880 wrote to memory of 3468	3880	EGe.exe	cmd.exe
PID 3880 wrote to memory of 3468	3880	EGe.exe	cmd.exe
PID 3468 wrote to memory of 3580	3468	cmd.exe	powershell.exe
PID 3468 wrote to memory of 3580	3468	cmd.exe	powershell.exe
PID 3468 wrote to memory of 3580	3468	cmd.exe	powershell.exe
PID 3468 wrote to memory of 3536	3468	cmd.exe	powershell.exe
PID 3468 wrote to memory of 3536	3468	cmd.exe	powershell.exe
PID 3468 wrote to memory of 3536	3468	cmd.exe	powershell.exe
PID 3468 wrote to memory of 5056	3468	cmd.exe	powershell.exe
PID 3468 wrote to memory of 5056	3468	cmd.exe	powershell.exe
PID 3468 wrote to memory of 5056	3468	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe
"C:\Users\Admin\AppData\Local\Temp\6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c timeout 2 & "C:\Users\Admin\AppData\Roaming\EGe.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:4820

C:\Users\Admin\AppData\Roaming\EGe.exe
"C:\Users\Admin\AppData\Roaming\EGe.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\EGe\.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\SysWOW64\cmd.exe
cmd /c timeout 1 & del /F "C:\Users\Admin\AppData\Local\Temp\6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
a19322492b756a9ae41a3437b5eb12f7

SHA1
cd0603dcd1fc917f84ffca7f86e58ed9274c17d5

SHA256
0e3df1acbc083f5eb8cca52dfc81309db3e83eaed2cb1e9f7a572482edbff37b

SHA512
c3b6a73f9b2d92423fa427e081ce2dcff81162557c270a2a0c5faf271c8a19a47de9c8a0d7a284684e33456ca7b7017a9bd8254814493443dd8ce8126dd7fe9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
296174ceb70afb378f19d6ebc88f33a5

SHA1
cfbd5e7793b9167a7f3fc9c339221ed4994063a5

SHA256
70adac0ea0b25eeebf18263c40a820f21451025d22c2f9ceea81ddde2fe74043

SHA512
ab065c96846de14f9e65b08ca5250539dcd015f46e7e8d3e72632b50a9d8ca32008de339c776f8c1ff3d8dd087f6f638346171175ad2a90c70990787c40787e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat
Filesize
237B

MD5
92f81be29f73852cd4b4c90c05587137

SHA1
99fc680c6e41734b0d79d957dc124ef272d04241

SHA256
f8242358557a69f6a079a5c1b2c821b2429740ac51a11643949a237f027bf133

SHA512
a1bc282b8da2794fa0f1de1f102867bf9baca8d0bf28546757a4c42b1f24ac31f1b5b0f7c3756dadd9802d58f4da7312e0ce992c17079e7f418060c14b472481

Download Submit
C:\Users\Admin\AppData\Roaming\EGe.exe
Filesize
348KB

MD5
0075306f5fda6d70684ecd0f29a61f2e

SHA1
4e9d843f432c27434898864258d53787c7b207f9

SHA256
6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

SHA512
a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Download Submit
C:\Users\Admin\AppData\Roaming\EGe.exe
Filesize
348KB

MD5
0075306f5fda6d70684ecd0f29a61f2e

SHA1
4e9d843f432c27434898864258d53787c7b207f9

SHA256
6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794

SHA512
a55d1d7b927d8923bd0d63cb0060358d081f0fddfc454b85087c0658a3e049ca9ba123994eb0be5307c2cd23131b456af382c81d7ef25e4483efec7f38a27e40

Download Submit
memory/2428-130-0x0000000000000000-mapping.dmp

Download
memory/2664-133-0x0000000000000000-mapping.dmp

Download
memory/2888-131-0x0000000000000000-mapping.dmp

Download
memory/3468-137-0x0000000000000000-mapping.dmp

Download
memory/3536-159-0x0000000070F80000-0x0000000070FCC000-memory.dmp

Filesize
304KB

Download
memory/3536-156-0x0000000000000000-mapping.dmp

Download
memory/3580-146-0x0000000006D00000-0x0000000006D32000-memory.dmp

Filesize
200KB

Download
memory/3580-153-0x0000000007C90000-0x0000000007C9E000-memory.dmp

Filesize
56KB

Download
memory/3580-144-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/3580-145-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/3580-142-0x0000000005970000-0x0000000005992000-memory.dmp

Filesize
136KB

Download
memory/3580-147-0x0000000070880000-0x00000000708CC000-memory.dmp

Filesize
304KB

Download
memory/3580-148-0x0000000006CE0000-0x0000000006CFE000-memory.dmp

Filesize
120KB

Download
memory/3580-149-0x00000000080C0000-0x000000000873A000-memory.dmp

Filesize
6.5MB

Download
memory/3580-150-0x0000000005440000-0x000000000545A000-memory.dmp

Filesize
104KB

Download
memory/3580-151-0x0000000007AB0000-0x0000000007ABA000-memory.dmp

Filesize
40KB

Download
memory/3580-152-0x0000000007CE0000-0x0000000007D76000-memory.dmp

Filesize
600KB

Download
memory/3580-143-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/3580-154-0x0000000007D80000-0x0000000007D9A000-memory.dmp

Filesize
104KB

Download
memory/3580-155-0x0000000007CD0000-0x0000000007CD8000-memory.dmp

Filesize
32KB

Download
memory/3580-141-0x00000000059B0000-0x0000000005FD8000-memory.dmp

Filesize
6.2MB

Download
memory/3580-140-0x00000000030C0000-0x00000000030F6000-memory.dmp

Filesize
216KB

Download
memory/3580-139-0x0000000000000000-mapping.dmp

Download
memory/3880-134-0x0000000000000000-mapping.dmp

Download
memory/4820-132-0x0000000000000000-mapping.dmp

Download
memory/5056-160-0x0000000000000000-mapping.dmp

Download
memory/5056-162-0x0000000070DC0000-0x0000000070E0C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads