icexloader | 8f13d11171f32cbb2e13500af64b3eed5f7405c0a7c92045b7aa1b9752e09fcb

General

Target

c5009a0d61af20e1b65995658e11ccd1.exe
Size

2.0MB
MD5

c5009a0d61af20e1b65995658e11ccd1
SHA1

64fa8d4f68bdb72bb0c2c006b20a7c0872e6a2c5
SHA256

8f13d11171f32cbb2e13500af64b3eed5f7405c0a7c92045b7aa1b9752e09fcb
SHA512

b6e630ca8a4b16b5dc4de75cb8745917b6249ab7fc3c3f8494ac20685254cdf7d8f4e5db8a05a2423a0b360daa57fe1d2675208367a135b35cf804696c8788d9

Score

10^/10

icexloader loader

Malware Config

Signatures

Detects IceXLoader v3.0 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2044-62-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-64-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-65-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-66-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-68-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-70-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-71-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-73-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-75-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-77-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-76-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-74-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-78-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-79-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-80-0x00000000004010BA-mapping.dmp	family_icexloader_v3
behavioral1/memory/2044-82-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-85-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral1/memory/2044-92-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

c5009a0d61af20e1b65995658e11ccd1.exe

description pid process target process

PID 1880 set thread context of 2044 1880 c5009a0d61af20e1b65995658e11ccd1.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

584 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1624 powershell.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

c5009a0d61af20e1b65995658e11ccd1.exe

pid process

1880 c5009a0d61af20e1b65995658e11ccd1.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c5009a0d61af20e1b65995658e11ccd1.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1880 c5009a0d61af20e1b65995658e11ccd1.exe
Token: SeDebugPrivilege 1624 powershell.exe

description	pid	process	target process
PID 1880 set thread context of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe

pid	process
584	schtasks.exe

pid	process
1624	powershell.exe

pid	process
1880	c5009a0d61af20e1b65995658e11ccd1.exe

description	pid	process
Token: SeDebugPrivilege	1880	c5009a0d61af20e1b65995658e11ccd1.exe
Token: SeDebugPrivilege	1624	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

c5009a0d61af20e1b65995658e11ccd1.execmd.exeRegAsm.execmd.exe

description	pid	process	target process
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 2044	1880	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1880 wrote to memory of 792	1880	c5009a0d61af20e1b65995658e11ccd1.exe	cmd.exe
PID 1880 wrote to memory of 792	1880	c5009a0d61af20e1b65995658e11ccd1.exe	cmd.exe
PID 1880 wrote to memory of 792	1880	c5009a0d61af20e1b65995658e11ccd1.exe	cmd.exe
PID 1880 wrote to memory of 792	1880	c5009a0d61af20e1b65995658e11ccd1.exe	cmd.exe
PID 792 wrote to memory of 584	792	cmd.exe	schtasks.exe
PID 792 wrote to memory of 584	792	cmd.exe	schtasks.exe
PID 792 wrote to memory of 584	792	cmd.exe	schtasks.exe
PID 792 wrote to memory of 584	792	cmd.exe	schtasks.exe
PID 2044 wrote to memory of 1388	2044	RegAsm.exe	cmd.exe
PID 2044 wrote to memory of 1388	2044	RegAsm.exe	cmd.exe
PID 2044 wrote to memory of 1388	2044	RegAsm.exe	cmd.exe
PID 2044 wrote to memory of 1388	2044	RegAsm.exe	cmd.exe
PID 1388 wrote to memory of 1624	1388	cmd.exe	powershell.exe
PID 1388 wrote to memory of 1624	1388	cmd.exe	powershell.exe
PID 1388 wrote to memory of 1624	1388	cmd.exe	powershell.exe
PID 1388 wrote to memory of 1624	1388	cmd.exe	powershell.exe
PID 1880 wrote to memory of 884	1880	c5009a0d61af20e1b65995658e11ccd1.exe	cmd.exe
PID 1880 wrote to memory of 884	1880	c5009a0d61af20e1b65995658e11ccd1.exe	cmd.exe
PID 1880 wrote to memory of 884	1880	c5009a0d61af20e1b65995658e11ccd1.exe	cmd.exe
PID 1880 wrote to memory of 884	1880	c5009a0d61af20e1b65995658e11ccd1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c5009a0d61af20e1b65995658e11ccd1.exe
"C:\Users\Admin\AppData\Local\Temp\c5009a0d61af20e1b65995658e11ccd1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Adob Update\Adob Update.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Adob Update\Adob Update.exe'" /f
3⤵
- Creates scheduled task(s)
PID:584

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\c5009a0d61af20e1b65995658e11ccd1.exe" "C:\Users\Admin\AppData\Roaming\Adob Update\Adob Update.exe"
2⤵
PID:884

C:\Windows\system32\taskeng.exe
taskeng.exe {DEC235CC-6228-493F-87A3-20F7E5004608} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
PID:1684

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file.bat
Filesize
237B

MD5
2a3a80629926e8af2f9c970639634f55

SHA1
cfc4917692f475460a5123eb91708938d4c6a374

SHA256
36993488710fb210986d284dc81d4e65012632e06834aaef8fb3363fcd9bfb04

SHA512
827605494cff53966048aa9d734f3ab0ea774fd84885797a7ab24a6bda23827a98a3079eb9a2cf2e7ae27d0d86407a4f990d5a2862b791b4c16059cf74233dee

Download Submit
memory/584-87-0x0000000000000000-mapping.dmp

Download
memory/792-86-0x0000000000000000-mapping.dmp

Download
memory/884-93-0x0000000000000000-mapping.dmp

Download
memory/1388-88-0x0000000000000000-mapping.dmp

Download
memory/1624-95-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-94-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-90-0x0000000000000000-mapping.dmp

Download
memory/1880-55-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download
memory/1880-54-0x0000000000A20000-0x0000000000ACA000-memory.dmp

Filesize
680KB

Download
memory/2044-65-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-82-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-71-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-73-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-75-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-77-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-76-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-74-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-78-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-79-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-80-0x00000000004010BA-mapping.dmp

Download
memory/2044-70-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-85-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-68-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-66-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-64-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-62-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-60-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-92-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-59-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-57-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2044-56-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads