icexloader | fd4f484c4d33a705a3d14c60d5eadd906ad8a79286a4d6041c7af1bf206ba77e

General

Target

619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Size

348KB
MD5

2be76cae2ba32867d8f244b65287d957
SHA1

6e7587064a02f11a831e0d9abb46603305e72665
SHA256

619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d
SHA512

748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

Detects IceXLoader v3.0 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ICE X.exe	family_icexloader_v3
C:\Users\Admin\AppData\Roaming\ICE X.exe	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader
Executes dropped EXE 1 IoCs

Processes:

ICE X.exe

pid process

2176 ICE X.exe

pid	process
2176	ICE X.exe

Drops startup file 1 IoCs

Processes:

619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICE X.exe	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1204 timeout.exe
2500 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1644 powershell.exe
1644 powershell.exe
1420 powershell.exe
1420 powershell.exe
3944 powershell.exe
3944 powershell.exe

pid	process
1204	timeout.exe
2500	timeout.exe

pid	process
1644	powershell.exe
1644	powershell.exe
1420	powershell.exe
1420	powershell.exe
3944	powershell.exe
3944	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

powershell.exeICE X.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe
Token: SeRemoteShutdownPrivilege	2176	ICE X.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.execmd.execmd.exeICE X.execmd.exe

description	pid	process	target process
PID 3768 wrote to memory of 3772	3768	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	cmd.exe
PID 3768 wrote to memory of 3772	3768	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	cmd.exe
PID 3768 wrote to memory of 3772	3768	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	cmd.exe
PID 3768 wrote to memory of 1988	3768	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	cmd.exe
PID 3768 wrote to memory of 1988	3768	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	cmd.exe
PID 3768 wrote to memory of 1988	3768	619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe	cmd.exe
PID 3772 wrote to memory of 1204	3772	cmd.exe	timeout.exe
PID 3772 wrote to memory of 1204	3772	cmd.exe	timeout.exe
PID 3772 wrote to memory of 1204	3772	cmd.exe	timeout.exe
PID 1988 wrote to memory of 2500	1988	cmd.exe	timeout.exe
PID 1988 wrote to memory of 2500	1988	cmd.exe	timeout.exe
PID 1988 wrote to memory of 2500	1988	cmd.exe	timeout.exe
PID 3772 wrote to memory of 2176	3772	cmd.exe	ICE X.exe
PID 3772 wrote to memory of 2176	3772	cmd.exe	ICE X.exe
PID 3772 wrote to memory of 2176	3772	cmd.exe	ICE X.exe
PID 2176 wrote to memory of 1984	2176	ICE X.exe	cmd.exe
PID 2176 wrote to memory of 1984	2176	ICE X.exe	cmd.exe
PID 2176 wrote to memory of 1984	2176	ICE X.exe	cmd.exe
PID 1984 wrote to memory of 1644	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 1644	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 1644	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 1420	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 1420	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 1420	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 3944	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 3944	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 3944	1984	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe
"C:\Users\Admin\AppData\Local\Temp\619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\cmd.exe
cmd /c timeout 2 & "C:\Users\Admin\AppData\Roaming\ICE X.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:1204

C:\Users\Admin\AppData\Roaming\ICE X.exe
"C:\Users\Admin\AppData\Roaming\ICE X.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\ICE X\.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\cmd.exe
cmd /c timeout 1 & del /F "C:\Users\Admin\AppData\Local\Temp\619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
46746fd65a1b4fb35c89a073dfe727cd

SHA1
718a19e5af40a046c8661942e5e6b770901ccaee

SHA256
4a3cbe50bf1fbbdc92c79b9c225da21f2d18c94da26c1749e7a94a4beef489c8

SHA512
1f7ffa18701d54ed11e405b2c7e8998564adcfe9e8bc0370ff99fe64166da9dd9865619e7955cf0307f601ee1597168877640951dcfa94db06c2f165688469e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
06544035534b49626d96ef90bc498ca2

SHA1
bbdcd044fcec389901a3a7613c8e39d1e17ed32f

SHA256
02adcd130712a5e44c7fcd3b3a507e6874b0b98043cc0134d653dbed9994ee71

SHA512
1eccf3a4cff165a74bfdd0e93abaea6eca0ecf879a5d7444b5695bd3683632eb57bfa1011099b438a05bf7b8b7b232d9ce48b77e9e6e77356250a64a59b44927

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat
Filesize
239B

MD5
f6e9a890d89cbc6684cc81fdba858cb4

SHA1
352924f71a6debb722a31af9d9a2c9bc157f6593

SHA256
7300f298f3baf29ec7dfcffb6ed84a14eea910dd323d845f9c343990b8754c51

SHA512
e0ddd4bdc29b355937be75ea90b1c8a0b4e9ce631364fcc35635a7f33b7e00a4a245402456cf17364a91a61cf1a551f2fb49d3f25133a4e488a5f379014264d9

Download Submit
C:\Users\Admin\AppData\Roaming\ICE X.exe
Filesize
348KB

MD5
2be76cae2ba32867d8f244b65287d957

SHA1
6e7587064a02f11a831e0d9abb46603305e72665

SHA256
619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d

SHA512
748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Download Submit
C:\Users\Admin\AppData\Roaming\ICE X.exe
Filesize
348KB

MD5
2be76cae2ba32867d8f244b65287d957

SHA1
6e7587064a02f11a831e0d9abb46603305e72665

SHA256
619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d

SHA512
748c6319825db2763941a639e640634fcdbf662d46ad683325e1e040fce6421152ec4a29d65cf9f26a4652dcb49570412b12930b8e79042d7bcbf4b71badab12

Download Submit
memory/1204-132-0x0000000000000000-mapping.dmp

Download
memory/1420-156-0x0000000000000000-mapping.dmp

Download
memory/1420-159-0x0000000071A40000-0x0000000071A8C000-memory.dmp

Filesize
304KB

Download
memory/1644-146-0x0000000007290000-0x00000000072C2000-memory.dmp

Filesize
200KB

Download
memory/1644-150-0x00000000073E0000-0x00000000073FA000-memory.dmp

Filesize
104KB

Download
memory/1644-141-0x0000000005300000-0x0000000005928000-memory.dmp

Filesize
6.2MB

Download
memory/1644-142-0x0000000005110000-0x0000000005132000-memory.dmp

Filesize
136KB

Download
memory/1644-143-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/1644-144-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/1644-145-0x00000000060D0000-0x00000000060EE000-memory.dmp

Filesize
120KB

Download
memory/1644-139-0x0000000000000000-mapping.dmp

Download
memory/1644-147-0x0000000070A20000-0x0000000070A6C000-memory.dmp

Filesize
304KB

Download
memory/1644-148-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/1644-149-0x0000000007A20000-0x000000000809A000-memory.dmp

Filesize
6.5MB

Download
memory/1644-140-0x0000000002B10000-0x0000000002B46000-memory.dmp

Filesize
216KB

Download
memory/1644-151-0x0000000007440000-0x000000000744A000-memory.dmp

Filesize
40KB

Download
memory/1644-152-0x0000000007670000-0x0000000007706000-memory.dmp

Filesize
600KB

Download
memory/1644-153-0x0000000007630000-0x000000000763E000-memory.dmp

Filesize
56KB

Download
memory/1644-154-0x0000000007730000-0x000000000774A000-memory.dmp

Filesize
104KB

Download
memory/1644-155-0x0000000007710000-0x0000000007718000-memory.dmp

Filesize
32KB

Download
memory/1984-137-0x0000000000000000-mapping.dmp

Download
memory/1988-131-0x0000000000000000-mapping.dmp

Download
memory/2176-134-0x0000000000000000-mapping.dmp

Download
memory/2500-133-0x0000000000000000-mapping.dmp

Download
memory/3772-130-0x0000000000000000-mapping.dmp

Download
memory/3944-160-0x0000000000000000-mapping.dmp

Download
memory/3944-162-0x0000000071A40000-0x0000000071A8C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads