icexloader | fd4f484c4d33a705a3d14c60d5eadd906ad8a79286a4d6041c7af1bf206ba77e

Analysis

max time kernel
155s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
13-07-2022 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Size

348KB
MD5

2be76cae2ba32867d8f244b65287d957
SHA1

6e7587064a02f11a831e0d9abb46603305e72665
SHA256

619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d
SHA512

748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

Detects IceXLoader v3.0 2 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e7f5-135.dat	family_icexloader_v3
behavioral2/files/0x000200000001e7f5-136.dat	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Executes dropped EXE 1 IoCs

pid	Process
2176	ICE X.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICE X.exe	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1204	timeout.exe
2500	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1644	powershell.exe
1644	powershell.exe
1420	powershell.exe
1420	powershell.exe
3944	powershell.exe
3944	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 3772	3768	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	79
PID 3768 wrote to memory of 3772	3768	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	79
PID 3768 wrote to memory of 3772	3768	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	79
PID 3768 wrote to memory of 1988	3768	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	80
PID 3768 wrote to memory of 1988	3768	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	80
PID 3768 wrote to memory of 1988	3768	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	80
PID 3772 wrote to memory of 1204	3772	cmd.exe	83
PID 3772 wrote to memory of 1204	3772	cmd.exe	83
PID 3772 wrote to memory of 1204	3772	cmd.exe	83
PID 1988 wrote to memory of 2500	1988	cmd.exe	84
PID 1988 wrote to memory of 2500	1988	cmd.exe	84
PID 1988 wrote to memory of 2500	1988	cmd.exe	84
PID 3772 wrote to memory of 2176	3772	cmd.exe	85
PID 3772 wrote to memory of 2176	3772	cmd.exe	85
PID 3772 wrote to memory of 2176	3772	cmd.exe	85
PID 2176 wrote to memory of 1984	2176	ICE X.exe	86
PID 2176 wrote to memory of 1984	2176	ICE X.exe	86
PID 2176 wrote to memory of 1984	2176	ICE X.exe	86
PID 1984 wrote to memory of 1644	1984	cmd.exe	88
PID 1984 wrote to memory of 1644	1984	cmd.exe	88
PID 1984 wrote to memory of 1644	1984	cmd.exe	88
PID 1984 wrote to memory of 1420	1984	cmd.exe	92
PID 1984 wrote to memory of 1420	1984	cmd.exe	92
PID 1984 wrote to memory of 1420	1984	cmd.exe	92
PID 1984 wrote to memory of 3944	1984	cmd.exe	94
PID 1984 wrote to memory of 3944	1984	cmd.exe	94
PID 1984 wrote to memory of 3944	1984	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
"C:\Users\Admin\AppData\Local\Temp\619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c timeout 2 & "C:\Users\Admin\AppData\Roaming\ICE X.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:1204
- - C:\Users\Admin\AppData\Roaming\ICE X.exe
    "C:\Users\Admin\AppData\Roaming\ICE X.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\ICE X\.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c timeout 1 & del /F "C:\Users\Admin\AppData\Local\Temp\619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
46746fd65a1b4fb35c89a073dfe727cd

SHA1
718a19e5af40a046c8661942e5e6b770901ccaee

SHA256
4a3cbe50bf1fbbdc92c79b9c225da21f2d18c94da26c1749e7a94a4beef489c8

SHA512
1f7ffa18701d54ed11e405b2c7e8998564adcfe9e8bc0370ff99fe64166da9dd9865619e7955cf0307f601ee1597168877640951dcfa94db06c2f165688469e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
06544035534b49626d96ef90bc498ca2

SHA1
bbdcd044fcec389901a3a7613c8e39d1e17ed32f

SHA256
02adcd130712a5e44c7fcd3b3a507e6874b0b98043cc0134d653dbed9994ee71

SHA512
1eccf3a4cff165a74bfdd0e93abaea6eca0ecf879a5d7444b5695bd3683632eb57bfa1011099b438a05bf7b8b7b232d9ce48b77e9e6e77356250a64a59b44927

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
239B

MD5
f6e9a890d89cbc6684cc81fdba858cb4

SHA1
352924f71a6debb722a31af9d9a2c9bc157f6593

SHA256
7300f298f3baf29ec7dfcffb6ed84a14eea910dd323d845f9c343990b8754c51

SHA512
e0ddd4bdc29b355937be75ea90b1c8a0b4e9ce631364fcc35635a7f33b7e00a4a245402456cf17364a91a61cf1a551f2fb49d3f25133a4e488a5f379014264d9

Download Submit
C:\Users\Admin\AppData\Roaming\ICE X.exe

Filesize
348KB

MD5
2be76cae2ba32867d8f244b65287d957

SHA1
6e7587064a02f11a831e0d9abb46603305e72665

SHA256
619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d

SHA512
748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Download Submit
C:\Users\Admin\AppData\Roaming\ICE X.exe

Filesize
348KB

MD5
2be76cae2ba32867d8f244b65287d957

SHA1
6e7587064a02f11a831e0d9abb46603305e72665

SHA256
619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d

SHA512
748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Download Submit
memory/1420-159-0x0000000071A40000-0x0000000071A8C000-memory.dmp

Filesize
304KB

Download
memory/1644-146-0x0000000007290000-0x00000000072C2000-memory.dmp

Filesize
200KB

Download
memory/1644-150-0x00000000073E0000-0x00000000073FA000-memory.dmp

Filesize
104KB

Download
memory/1644-141-0x0000000005300000-0x0000000005928000-memory.dmp

Filesize
6.2MB

Download
memory/1644-142-0x0000000005110000-0x0000000005132000-memory.dmp

Filesize
136KB

Download
memory/1644-143-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/1644-144-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/1644-145-0x00000000060D0000-0x00000000060EE000-memory.dmp

Filesize
120KB

Download
memory/1644-147-0x0000000070A20000-0x0000000070A6C000-memory.dmp

Filesize
304KB

Download
memory/1644-148-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/1644-149-0x0000000007A20000-0x000000000809A000-memory.dmp

Filesize
6.5MB

Download
memory/1644-140-0x0000000002B10000-0x0000000002B46000-memory.dmp

Filesize
216KB

Download
memory/1644-151-0x0000000007440000-0x000000000744A000-memory.dmp

Filesize
40KB

Download
memory/1644-152-0x0000000007670000-0x0000000007706000-memory.dmp

Filesize
600KB

Download
memory/1644-153-0x0000000007630000-0x000000000763E000-memory.dmp

Filesize
56KB

Download
memory/1644-154-0x0000000007730000-0x000000000774A000-memory.dmp

Filesize
104KB

Download
memory/1644-155-0x0000000007710000-0x0000000007718000-memory.dmp

Filesize
32KB

Download
memory/3944-162-0x0000000071A40000-0x0000000071A8C000-memory.dmp

Filesize
304KB

Download