icexloader | 060fadd3d3457e00c562d2cd3810ee1b8ce96bbb5550006468270ea45bb7b7c3

General

Target

926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe
Size

347KB
MD5

f215f4d6043bc0c81d8beafcce0aabb2
SHA1

7168feb0237b8cc9a49dd53d7a6b4e26b7037e66
SHA256

926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496
SHA512

cea505712e00e926e1fe98cd6b67d064ff2871d785267ecbd2c3367e6cbc09c494e5b763030636dca4d1f7f0a0fe50dbe9f85ef1b21021f7220b2c56a2177bf6

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

Detects IceXLoader v3.0 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe	family_icexloader_v3
C:\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe	family_icexloader_v3
\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe	family_icexloader_v3
C:\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader
Executes dropped EXE 1 IoCs

Processes:

WindowsDefenderAgent.exe.exe

pid process

1708 WindowsDefenderAgent.exe.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1468 cmd.exe

pid	process
1708	WindowsDefenderAgent.exe.exe

pid	process
1468	cmd.exe

Drops startup file 1 IoCs

Processes:

926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefenderAgent.exe.exe	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

756 cmd.exe
756 cmd.exe

pid	process
756	cmd.exe
756	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderAgent.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsDefenderAgent.exe.exe\""	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderAgent.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsDefenderAgent.exe.exe\""	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1204 timeout.exe
2044 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1996 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1996 powershell.exe

pid	process
1204	timeout.exe
2044	timeout.exe

pid	process
1996	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1996	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.execmd.execmd.exeWindowsDefenderAgent.exe.execmd.exe

description	pid	process	target process
PID 1052 wrote to memory of 756	1052	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe	cmd.exe
PID 1052 wrote to memory of 756	1052	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe	cmd.exe
PID 1052 wrote to memory of 756	1052	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe	cmd.exe
PID 1052 wrote to memory of 756	1052	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe	cmd.exe
PID 1052 wrote to memory of 1468	1052	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe	cmd.exe
PID 1052 wrote to memory of 1468	1052	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe	cmd.exe
PID 1052 wrote to memory of 1468	1052	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe	cmd.exe
PID 1052 wrote to memory of 1468	1052	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe	cmd.exe
PID 756 wrote to memory of 1204	756	cmd.exe	timeout.exe
PID 756 wrote to memory of 1204	756	cmd.exe	timeout.exe
PID 756 wrote to memory of 1204	756	cmd.exe	timeout.exe
PID 756 wrote to memory of 1204	756	cmd.exe	timeout.exe
PID 1468 wrote to memory of 2044	1468	cmd.exe	timeout.exe
PID 1468 wrote to memory of 2044	1468	cmd.exe	timeout.exe
PID 1468 wrote to memory of 2044	1468	cmd.exe	timeout.exe
PID 1468 wrote to memory of 2044	1468	cmd.exe	timeout.exe
PID 756 wrote to memory of 1708	756	cmd.exe	WindowsDefenderAgent.exe.exe
PID 756 wrote to memory of 1708	756	cmd.exe	WindowsDefenderAgent.exe.exe
PID 756 wrote to memory of 1708	756	cmd.exe	WindowsDefenderAgent.exe.exe
PID 756 wrote to memory of 1708	756	cmd.exe	WindowsDefenderAgent.exe.exe
PID 1708 wrote to memory of 2036	1708	WindowsDefenderAgent.exe.exe	cmd.exe
PID 1708 wrote to memory of 2036	1708	WindowsDefenderAgent.exe.exe	cmd.exe
PID 1708 wrote to memory of 2036	1708	WindowsDefenderAgent.exe.exe	cmd.exe
PID 1708 wrote to memory of 2036	1708	WindowsDefenderAgent.exe.exe	cmd.exe
PID 2036 wrote to memory of 1996	2036	cmd.exe	powershell.exe
PID 2036 wrote to memory of 1996	2036	cmd.exe	powershell.exe
PID 2036 wrote to memory of 1996	2036	cmd.exe	powershell.exe
PID 2036 wrote to memory of 1996	2036	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe
"C:\Users\Admin\AppData\Local\Temp\926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\cmd.exe
cmd /c timeout 2 & "C:\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:1204

C:\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe
"C:\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /c timeout 1 & del /F "C:\Users\Admin\AppData\Local\Temp\926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2044

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file.bat
Filesize
258B

MD5
954231b1d097e6d3b68366b219f24460

SHA1
3be2c3d74d95b1c6470638edf6c904cadcd93b8e

SHA256
d9d1529df835ddaea27342f27911bc9bb007371a73af3f093e573f2d7c2ece71

SHA512
4540a44cbef24c8beef87f240c1fadea25b1f428b0fe28d60772722c2b33aad4b053b5c58f069b3f6ebd27e8483c51c88a00e85c1f10c6abe242598439c6a46f

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe
Filesize
347KB

MD5
f215f4d6043bc0c81d8beafcce0aabb2

SHA1
7168feb0237b8cc9a49dd53d7a6b4e26b7037e66

SHA256
926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496

SHA512
cea505712e00e926e1fe98cd6b67d064ff2871d785267ecbd2c3367e6cbc09c494e5b763030636dca4d1f7f0a0fe50dbe9f85ef1b21021f7220b2c56a2177bf6

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe
Filesize
347KB

MD5
f215f4d6043bc0c81d8beafcce0aabb2

SHA1
7168feb0237b8cc9a49dd53d7a6b4e26b7037e66

SHA256
926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496

SHA512
cea505712e00e926e1fe98cd6b67d064ff2871d785267ecbd2c3367e6cbc09c494e5b763030636dca4d1f7f0a0fe50dbe9f85ef1b21021f7220b2c56a2177bf6

Download Submit
\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe
Filesize
347KB

MD5
f215f4d6043bc0c81d8beafcce0aabb2

SHA1
7168feb0237b8cc9a49dd53d7a6b4e26b7037e66

SHA256
926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496

SHA512
cea505712e00e926e1fe98cd6b67d064ff2871d785267ecbd2c3367e6cbc09c494e5b763030636dca4d1f7f0a0fe50dbe9f85ef1b21021f7220b2c56a2177bf6

Download Submit
\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe
Filesize
347KB

MD5
f215f4d6043bc0c81d8beafcce0aabb2

SHA1
7168feb0237b8cc9a49dd53d7a6b4e26b7037e66

SHA256
926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496

SHA512
cea505712e00e926e1fe98cd6b67d064ff2871d785267ecbd2c3367e6cbc09c494e5b763030636dca4d1f7f0a0fe50dbe9f85ef1b21021f7220b2c56a2177bf6

Download Submit
memory/756-55-0x0000000000000000-mapping.dmp

Download
memory/1052-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/1204-57-0x0000000000000000-mapping.dmp

Download
memory/1468-56-0x0000000000000000-mapping.dmp

Download
memory/1708-62-0x0000000000000000-mapping.dmp

Download
memory/1996-67-0x0000000000000000-mapping.dmp

Download
memory/1996-69-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-70-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-65-0x0000000000000000-mapping.dmp

Download
memory/2044-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads