icexloader | 8f13d11171f32cbb2e13500af64b3eed5f7405c0a7c92045b7aa1b9752e09fcb

General

Target

c5009a0d61af20e1b65995658e11ccd1.exe
Size

2.0MB
MD5

c5009a0d61af20e1b65995658e11ccd1
SHA1

64fa8d4f68bdb72bb0c2c006b20a7c0872e6a2c5
SHA256

8f13d11171f32cbb2e13500af64b3eed5f7405c0a7c92045b7aa1b9752e09fcb
SHA512

b6e630ca8a4b16b5dc4de75cb8745917b6249ab7fc3c3f8494ac20685254cdf7d8f4e5db8a05a2423a0b360daa57fe1d2675208367a135b35cf804696c8788d9

Score

10^/10

icexloader loader

Malware Config

Signatures

Detects IceXLoader v3.0 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4020-133-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral2/memory/4020-136-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral2/memory/4020-137-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral2/memory/4020-149-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

c5009a0d61af20e1b65995658e11ccd1.exe

description pid process target process

PID 1620 set thread context of 4020 1620 c5009a0d61af20e1b65995658e11ccd1.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4860 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3108 powershell.exe
3108 powershell.exe
1376 powershell.exe
1376 powershell.exe
4740 powershell.exe
4740 powershell.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

c5009a0d61af20e1b65995658e11ccd1.exe

pid process

1620 c5009a0d61af20e1b65995658e11ccd1.exe

description	pid	process	target process
PID 1620 set thread context of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe

pid	process
4860	schtasks.exe

pid	process
3108	powershell.exe
3108	powershell.exe
1376	powershell.exe
1376	powershell.exe
4740	powershell.exe
4740	powershell.exe

pid	process
1620	c5009a0d61af20e1b65995658e11ccd1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

c5009a0d61af20e1b65995658e11ccd1.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1620	c5009a0d61af20e1b65995658e11ccd1.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

c5009a0d61af20e1b65995658e11ccd1.exeRegAsm.execmd.execmd.exe

description	pid	process	target process
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 1620 wrote to memory of 4020	1620	c5009a0d61af20e1b65995658e11ccd1.exe	RegAsm.exe
PID 4020 wrote to memory of 4368	4020	RegAsm.exe	cmd.exe
PID 4020 wrote to memory of 4368	4020	RegAsm.exe	cmd.exe
PID 4020 wrote to memory of 4368	4020	RegAsm.exe	cmd.exe
PID 4368 wrote to memory of 3108	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 3108	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 3108	4368	cmd.exe	powershell.exe
PID 1620 wrote to memory of 4856	1620	c5009a0d61af20e1b65995658e11ccd1.exe	cmd.exe
PID 1620 wrote to memory of 4856	1620	c5009a0d61af20e1b65995658e11ccd1.exe	cmd.exe
PID 1620 wrote to memory of 4856	1620	c5009a0d61af20e1b65995658e11ccd1.exe	cmd.exe
PID 4856 wrote to memory of 4860	4856	cmd.exe	schtasks.exe
PID 4856 wrote to memory of 4860	4856	cmd.exe	schtasks.exe
PID 4856 wrote to memory of 4860	4856	cmd.exe	schtasks.exe
PID 1620 wrote to memory of 424	1620	c5009a0d61af20e1b65995658e11ccd1.exe	cmd.exe
PID 1620 wrote to memory of 424	1620	c5009a0d61af20e1b65995658e11ccd1.exe	cmd.exe
PID 1620 wrote to memory of 424	1620	c5009a0d61af20e1b65995658e11ccd1.exe	cmd.exe
PID 4368 wrote to memory of 1376	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 1376	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 1376	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 4740	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 4740	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 4740	4368	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\c5009a0d61af20e1b65995658e11ccd1.exe
"C:\Users\Admin\AppData\Local\Temp\c5009a0d61af20e1b65995658e11ccd1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3108
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\inN\.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1376
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4740
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Adob Update\Adob Update.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Adob Update\Adob Update.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4860
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\c5009a0d61af20e1b65995658e11ccd1.exe" "C:\Users\Admin\AppData\Roaming\Adob Update\Adob Update.exe"
  2⤵
  PID:424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
68e2708b0e33b5a83a7e08bb1c1650ae

SHA1
40e8b25dfda024360487293824cc5f7fc9bb3a88

SHA256
0d2ca6e430dcea05cbd9a9696d847649786279ccf2d37cd2115e985e1f1f07f0

SHA512
98b1d63d36eb84bc7cf91abb9985e177b5353ad15a2c10d5104c89dbe049a089dd374f741ba7e0ed356d2c53b32e4661c61a095a09f008d5c0526c75c5864899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e882af1e4763665060ba09639a4dc8ce

SHA1
b5bc6afd89eb73fe8b076f71be35005df620cfed

SHA256
7288563c6992e234e96f7cc7daac22fd274f11a0b3f655dfe457f9842f9cbea0

SHA512
3e77b613f693362d2722da82180d5879e8d3e35d87a101ce69388426b5d28dc85786ed782cc2fdca2971f3caedc661577cf17033152cd5c8530ecdb59fb8b0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
237B

MD5
2a3a80629926e8af2f9c970639634f55

SHA1
cfc4917692f475460a5123eb91708938d4c6a374

SHA256
36993488710fb210986d284dc81d4e65012632e06834aaef8fb3363fcd9bfb04

SHA512
827605494cff53966048aa9d734f3ab0ea774fd84885797a7ab24a6bda23827a98a3079eb9a2cf2e7ae27d0d86407a4f990d5a2862b791b4c16059cf74233dee

Download Submit
memory/424-148-0x0000000000000000-mapping.dmp

Download
memory/1376-164-0x0000000071150000-0x000000007119C000-memory.dmp

Filesize
304KB

Download
memory/1376-161-0x0000000000000000-mapping.dmp

Download
memory/1620-131-0x0000000005CD0000-0x0000000006274000-memory.dmp

Filesize
5.6MB

Download
memory/1620-134-0x0000000006420000-0x00000000064B2000-memory.dmp

Filesize
584KB

Download
memory/1620-130-0x0000000000F70000-0x000000000101A000-memory.dmp

Filesize
680KB

Download
memory/3108-158-0x00000000079D0000-0x00000000079DE000-memory.dmp

Filesize
56KB

Download
memory/3108-154-0x0000000007DE0000-0x000000000845A000-memory.dmp

Filesize
6.5MB

Download
memory/3108-143-0x0000000005350000-0x0000000005372000-memory.dmp

Filesize
136KB

Download
memory/3108-144-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/3108-145-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/3108-160-0x0000000007A10000-0x0000000007A18000-memory.dmp

Filesize
32KB

Download
memory/3108-159-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

Filesize
104KB

Download
memory/3108-141-0x0000000002E30000-0x0000000002E66000-memory.dmp

Filesize
216KB

Download
memory/3108-140-0x0000000000000000-mapping.dmp

Download
memory/3108-150-0x0000000006470000-0x000000000648E000-memory.dmp

Filesize
120KB

Download
memory/3108-151-0x0000000006930000-0x0000000006962000-memory.dmp

Filesize
200KB

Download
memory/3108-152-0x0000000071F90000-0x0000000071FDC000-memory.dmp

Filesize
304KB

Download
memory/3108-153-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/3108-142-0x0000000005670000-0x0000000005C98000-memory.dmp

Filesize
6.2MB

Download
memory/3108-155-0x0000000007790000-0x00000000077AA000-memory.dmp

Filesize
104KB

Download
memory/3108-156-0x00000000077F0000-0x00000000077FA000-memory.dmp

Filesize
40KB

Download
memory/3108-157-0x0000000007A20000-0x0000000007AB6000-memory.dmp

Filesize
600KB

Download
memory/4020-149-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4020-137-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4020-136-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4020-133-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4020-132-0x0000000000000000-mapping.dmp

Download
memory/4368-138-0x0000000000000000-mapping.dmp

Download
memory/4740-165-0x0000000000000000-mapping.dmp

Download
memory/4740-167-0x0000000071150000-0x000000007119C000-memory.dmp

Filesize
304KB

Download
memory/4856-146-0x0000000000000000-mapping.dmp

Download
memory/4860-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads