icexloader | fd4f484c4d33a705a3d14c60d5eadd906ad8a79286a4d6041c7af1bf206ba77e

General

Target

619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Size

348KB
MD5

2be76cae2ba32867d8f244b65287d957
SHA1

6e7587064a02f11a831e0d9abb46603305e72665
SHA256

619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d
SHA512

748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

Detects IceXLoader v3.0 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\ICE X.exe	family_icexloader_v3
C:\Users\Admin\AppData\Roaming\ICE X.exe	family_icexloader_v3
C:\Users\Admin\AppData\Roaming\ICE X.exe	family_icexloader_v3
\Users\Admin\AppData\Roaming\ICE X.exe	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader
Executes dropped EXE 1 IoCs

Processes:

ICE X.exe

pid process

616 ICE X.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

600 cmd.exe

pid	process
616	ICE X.exe

pid	process
600	cmd.exe

Drops startup file 1 IoCs

Processes:

619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICE X.exe	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1944 cmd.exe
1944 cmd.exe

pid	process
1944	cmd.exe
1944	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1140 timeout.exe
1368 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1732 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1732 powershell.exe

pid	process
1140	timeout.exe
1368	timeout.exe

pid	process
1732	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1732	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.execmd.execmd.exeICE X.execmd.exe

description	pid	process	target process
PID 328 wrote to memory of 1944	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	cmd.exe
PID 328 wrote to memory of 1944	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	cmd.exe
PID 328 wrote to memory of 1944	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	cmd.exe
PID 328 wrote to memory of 1944	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	cmd.exe
PID 328 wrote to memory of 600	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	cmd.exe
PID 328 wrote to memory of 600	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	cmd.exe
PID 328 wrote to memory of 600	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	cmd.exe
PID 328 wrote to memory of 600	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	cmd.exe
PID 1944 wrote to memory of 1368	1944	cmd.exe	timeout.exe
PID 1944 wrote to memory of 1368	1944	cmd.exe	timeout.exe
PID 1944 wrote to memory of 1368	1944	cmd.exe	timeout.exe
PID 1944 wrote to memory of 1368	1944	cmd.exe	timeout.exe
PID 600 wrote to memory of 1140	600	cmd.exe	timeout.exe
PID 600 wrote to memory of 1140	600	cmd.exe	timeout.exe
PID 600 wrote to memory of 1140	600	cmd.exe	timeout.exe
PID 600 wrote to memory of 1140	600	cmd.exe	timeout.exe
PID 1944 wrote to memory of 616	1944	cmd.exe	ICE X.exe
PID 1944 wrote to memory of 616	1944	cmd.exe	ICE X.exe
PID 1944 wrote to memory of 616	1944	cmd.exe	ICE X.exe
PID 1944 wrote to memory of 616	1944	cmd.exe	ICE X.exe
PID 616 wrote to memory of 1268	616	ICE X.exe	cmd.exe
PID 616 wrote to memory of 1268	616	ICE X.exe	cmd.exe
PID 616 wrote to memory of 1268	616	ICE X.exe	cmd.exe
PID 616 wrote to memory of 1268	616	ICE X.exe	cmd.exe
PID 1268 wrote to memory of 1732	1268	cmd.exe	powershell.exe
PID 1268 wrote to memory of 1732	1268	cmd.exe	powershell.exe
PID 1268 wrote to memory of 1732	1268	cmd.exe	powershell.exe
PID 1268 wrote to memory of 1732	1268	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
"C:\Users\Admin\AppData\Local\Temp\619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\cmd.exe
cmd /c timeout 2 & "C:\Users\Admin\AppData\Roaming\ICE X.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:1368

C:\Users\Admin\AppData\Roaming\ICE X.exe
"C:\Users\Admin\AppData\Roaming\ICE X.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c timeout 1 & del /F "C:\Users\Admin\AppData\Local\Temp\619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1140

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file.bat
Filesize
239B

MD5
f6e9a890d89cbc6684cc81fdba858cb4

SHA1
352924f71a6debb722a31af9d9a2c9bc157f6593

SHA256
7300f298f3baf29ec7dfcffb6ed84a14eea910dd323d845f9c343990b8754c51

SHA512
e0ddd4bdc29b355937be75ea90b1c8a0b4e9ce631364fcc35635a7f33b7e00a4a245402456cf17364a91a61cf1a551f2fb49d3f25133a4e488a5f379014264d9

Download Submit
C:\Users\Admin\AppData\Roaming\ICE X.exe
Filesize
348KB

MD5
2be76cae2ba32867d8f244b65287d957

SHA1
6e7587064a02f11a831e0d9abb46603305e72665

SHA256
619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d

SHA512
748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Download Submit
C:\Users\Admin\AppData\Roaming\ICE X.exe
Filesize
348KB

MD5
2be76cae2ba32867d8f244b65287d957

SHA1
6e7587064a02f11a831e0d9abb46603305e72665

SHA256
619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d

SHA512
748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Download Submit
\Users\Admin\AppData\Roaming\ICE X.exe
Filesize
348KB

MD5
2be76cae2ba32867d8f244b65287d957

SHA1
6e7587064a02f11a831e0d9abb46603305e72665

SHA256
619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d

SHA512
748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Download Submit
\Users\Admin\AppData\Roaming\ICE X.exe
Filesize
348KB

MD5
2be76cae2ba32867d8f244b65287d957

SHA1
6e7587064a02f11a831e0d9abb46603305e72665

SHA256
619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d

SHA512
748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Download Submit
memory/328-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/600-56-0x0000000000000000-mapping.dmp

Download
memory/616-62-0x0000000000000000-mapping.dmp

Download
memory/1140-58-0x0000000000000000-mapping.dmp

Download
memory/1268-65-0x0000000000000000-mapping.dmp

Download
memory/1368-57-0x0000000000000000-mapping.dmp

Download
memory/1732-67-0x0000000000000000-mapping.dmp

Download
memory/1732-69-0x0000000073800000-0x0000000073DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1732-70-0x0000000073800000-0x0000000073DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1944-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads