icexloader | 34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1

Analysis

max time kernel
43s
max time network
57s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
19-07-2022 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1.exe
Size

347KB
MD5

91de3fb29c2b6b09d64e693a6a018146
SHA1

91fbfd49bb7426f118ce8a9d2a781ae170da7fe1
SHA256

34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1
SHA512

f8e827c8616804c90900eb69eba63c2f6c33f4ef0532adcd1eee485195d4994e891afb92151648cd17b6ffada3badfd939d6bdd9535471f5a7152c27c82e2508

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Drops startup file 1 IoCs

Processes:

34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OApp.exe	34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run	34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\OApp = "\"C:\\Users\\Admin\\AppData\\Roaming\\OApp.exe\""	34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OApp = "\"C:\\Users\\Admin\\AppData\\Roaming\\OApp.exe\""	34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

948 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 948 powershell.exe

pid	process
948	powershell.exe

description	pid	process
Token: SeDebugPrivilege	948	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1.execmd.exe

description	pid	process	target process
PID 1652 wrote to memory of 1944	1652	34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1.exe	cmd.exe
PID 1652 wrote to memory of 1944	1652	34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1.exe	cmd.exe
PID 1652 wrote to memory of 1944	1652	34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1.exe	cmd.exe
PID 1652 wrote to memory of 1944	1652	34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1.exe	cmd.exe
PID 1944 wrote to memory of 948	1944	cmd.exe	powershell.exe
PID 1944 wrote to memory of 948	1944	cmd.exe	powershell.exe
PID 1944 wrote to memory of 948	1944	cmd.exe	powershell.exe
PID 1944 wrote to memory of 948	1944	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1.exe
"C:\Users\Admin\AppData\Local\Temp\34568d7cc3bf1a3c82438c5d6e2b8116a3e270ee18e723450e375b6e41f077d1.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:948

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
238B

MD5
33523feaa8b71659f33821ba1f1888eb

SHA1
d32e8a5048601b642e766c33873590b5fcf8603a

SHA256
b9fa2d3b027597ab775e82d351d2e0d1f8c1e263bcc95d6f40254cd665c59449

SHA512
79741c6f9b5e1c5cc482576ff12d937452aeedcd16b840a8621e73875d61ca9ca2e12aef0bb6776f275692af5e32f19695f46f297a9057b8e4ec78202cff7c07

Download Submit
memory/948-57-0x0000000000000000-mapping.dmp

Download
memory/948-59-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/948-60-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1944-55-0x0000000000000000-mapping.dmp

Download
memory/1992-61-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

Filesize
8KB

Download