icexloader | fd4f484c4d33a705a3d14c60d5eadd906ad8a79286a4d6041c7af1bf206ba77e

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
13-07-2022 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Size

348KB
MD5

2be76cae2ba32867d8f244b65287d957
SHA1

6e7587064a02f11a831e0d9abb46603305e72665
SHA256

619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d
SHA512

748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

Detects IceXLoader v3.0 4 IoCs

resource	yara_rule
behavioral1/files/0x000d000000005ba9-59.dat	family_icexloader_v3
behavioral1/files/0x000d000000005ba9-60.dat	family_icexloader_v3
behavioral1/files/0x000d000000005ba9-63.dat	family_icexloader_v3
behavioral1/files/0x000d000000005ba9-61.dat	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Executes dropped EXE 1 IoCs

pid	Process
616	ICE X.exe

Deletes itself 1 IoCs

pid	Process
600	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICE X.exe	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe

Loads dropped DLL 2 IoCs

pid	Process
1944	cmd.exe
1944	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1140	timeout.exe
1368	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1732	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 1944	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	27
PID 328 wrote to memory of 1944	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	27
PID 328 wrote to memory of 1944	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	27
PID 328 wrote to memory of 1944	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	27
PID 328 wrote to memory of 600	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	28
PID 328 wrote to memory of 600	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	28
PID 328 wrote to memory of 600	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	28
PID 328 wrote to memory of 600	328	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	28
PID 1944 wrote to memory of 1368	1944	cmd.exe	32
PID 1944 wrote to memory of 1368	1944	cmd.exe	32
PID 1944 wrote to memory of 1368	1944	cmd.exe	32
PID 1944 wrote to memory of 1368	1944	cmd.exe	32
PID 600 wrote to memory of 1140	600	cmd.exe	31
PID 600 wrote to memory of 1140	600	cmd.exe	31
PID 600 wrote to memory of 1140	600	cmd.exe	31
PID 600 wrote to memory of 1140	600	cmd.exe	31
PID 1944 wrote to memory of 616	1944	cmd.exe	33
PID 1944 wrote to memory of 616	1944	cmd.exe	33
PID 1944 wrote to memory of 616	1944	cmd.exe	33
PID 1944 wrote to memory of 616	1944	cmd.exe	33
PID 616 wrote to memory of 1268	616	ICE X.exe	34
PID 616 wrote to memory of 1268	616	ICE X.exe	34
PID 616 wrote to memory of 1268	616	ICE X.exe	34
PID 616 wrote to memory of 1268	616	ICE X.exe	34
PID 1268 wrote to memory of 1732	1268	cmd.exe	36
PID 1268 wrote to memory of 1732	1268	cmd.exe	36
PID 1268 wrote to memory of 1732	1268	cmd.exe	36
PID 1268 wrote to memory of 1732	1268	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
"C:\Users\Admin\AppData\Local\Temp\619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c timeout 2 & "C:\Users\Admin\AppData\Roaming\ICE X.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:1368
- - C:\Users\Admin\AppData\Roaming\ICE X.exe
    "C:\Users\Admin\AppData\Roaming\ICE X.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:616
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1268
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c timeout 1 & del /F "C:\Users\Admin\AppData\Local\Temp\619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
239B

MD5
f6e9a890d89cbc6684cc81fdba858cb4

SHA1
352924f71a6debb722a31af9d9a2c9bc157f6593

SHA256
7300f298f3baf29ec7dfcffb6ed84a14eea910dd323d845f9c343990b8754c51

SHA512
e0ddd4bdc29b355937be75ea90b1c8a0b4e9ce631364fcc35635a7f33b7e00a4a245402456cf17364a91a61cf1a551f2fb49d3f25133a4e488a5f379014264d9

Download Submit
C:\Users\Admin\AppData\Roaming\ICE X.exe

Filesize
348KB

MD5
2be76cae2ba32867d8f244b65287d957

SHA1
6e7587064a02f11a831e0d9abb46603305e72665

SHA256
619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d

SHA512
748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Download Submit
C:\Users\Admin\AppData\Roaming\ICE X.exe

Filesize
348KB

MD5
2be76cae2ba32867d8f244b65287d957

SHA1
6e7587064a02f11a831e0d9abb46603305e72665

SHA256
619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d

SHA512
748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Download Submit
\Users\Admin\AppData\Roaming\ICE X.exe

Filesize
348KB

MD5
2be76cae2ba32867d8f244b65287d957

SHA1
6e7587064a02f11a831e0d9abb46603305e72665

SHA256
619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d

SHA512
748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Download Submit
\Users\Admin\AppData\Roaming\ICE X.exe

Filesize
348KB

MD5
2be76cae2ba32867d8f244b65287d957

SHA1
6e7587064a02f11a831e0d9abb46603305e72665

SHA256
619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d

SHA512
748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Download Submit
memory/328-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1732-69-0x0000000073800000-0x0000000073DAB000-memory.dmp

Filesize
5.7MB

Download
memory/1732-70-0x0000000073800000-0x0000000073DAB000-memory.dmp

Filesize
5.7MB

Download