icexloader | 8f13d11171f32cbb2e13500af64b3eed5f7405c0a7c92045b7aa1b9752e09fcb

General

Target

GamerLand.exe
Size

2.0MB
MD5

c5009a0d61af20e1b65995658e11ccd1
SHA1

64fa8d4f68bdb72bb0c2c006b20a7c0872e6a2c5
SHA256

8f13d11171f32cbb2e13500af64b3eed5f7405c0a7c92045b7aa1b9752e09fcb
SHA512

b6e630ca8a4b16b5dc4de75cb8745917b6249ab7fc3c3f8494ac20685254cdf7d8f4e5db8a05a2423a0b360daa57fe1d2675208367a135b35cf804696c8788d9

Score

10^/10

icexloader loader

Malware Config

Signatures

Detects IceXLoader v3.0 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4776-133-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral2/memory/4776-136-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral2/memory/4776-137-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral2/memory/4776-158-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

GamerLand.exe

description pid process target process

PID 4400 set thread context of 4776 4400 GamerLand.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

444 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4672 powershell.exe
4672 powershell.exe
2208 powershell.exe
2208 powershell.exe
5020 powershell.exe
5020 powershell.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

GamerLand.exe

pid process

4400 GamerLand.exe

description	pid	process	target process
PID 4400 set thread context of 4776	4400	GamerLand.exe	RegAsm.exe

pid	process
444	schtasks.exe

pid	process
4672	powershell.exe
4672	powershell.exe
2208	powershell.exe
2208	powershell.exe
5020	powershell.exe
5020	powershell.exe

pid	process
4400	GamerLand.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

GamerLand.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4400	GamerLand.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

GamerLand.exeRegAsm.execmd.execmd.exe

description	pid	process	target process
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4400 wrote to memory of 4776	4400	GamerLand.exe	RegAsm.exe
PID 4776 wrote to memory of 396	4776	RegAsm.exe	cmd.exe
PID 4776 wrote to memory of 396	4776	RegAsm.exe	cmd.exe
PID 4776 wrote to memory of 396	4776	RegAsm.exe	cmd.exe
PID 396 wrote to memory of 4672	396	cmd.exe	powershell.exe
PID 396 wrote to memory of 4672	396	cmd.exe	powershell.exe
PID 396 wrote to memory of 4672	396	cmd.exe	powershell.exe
PID 4400 wrote to memory of 1000	4400	GamerLand.exe	cmd.exe
PID 4400 wrote to memory of 1000	4400	GamerLand.exe	cmd.exe
PID 4400 wrote to memory of 1000	4400	GamerLand.exe	cmd.exe
PID 1000 wrote to memory of 444	1000	cmd.exe	schtasks.exe
PID 1000 wrote to memory of 444	1000	cmd.exe	schtasks.exe
PID 1000 wrote to memory of 444	1000	cmd.exe	schtasks.exe
PID 4400 wrote to memory of 2316	4400	GamerLand.exe	cmd.exe
PID 4400 wrote to memory of 2316	4400	GamerLand.exe	cmd.exe
PID 4400 wrote to memory of 2316	4400	GamerLand.exe	cmd.exe
PID 396 wrote to memory of 2208	396	cmd.exe	powershell.exe
PID 396 wrote to memory of 2208	396	cmd.exe	powershell.exe
PID 396 wrote to memory of 2208	396	cmd.exe	powershell.exe
PID 396 wrote to memory of 5020	396	cmd.exe	powershell.exe
PID 396 wrote to memory of 5020	396	cmd.exe	powershell.exe
PID 396 wrote to memory of 5020	396	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\GamerLand.exe
"C:\Users\Admin\AppData\Local\Temp\GamerLand.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\inN\.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Adob Update\Adob Update.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Adob Update\Adob Update.exe'" /f
3⤵
- Creates scheduled task(s)
PID:444

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\GamerLand.exe" "C:\Users\Admin\AppData\Roaming\Adob Update\Adob Update.exe"
2⤵
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
57e0e91710c2e04ba3f3e2fde0449062

SHA1
fcd3ada38fce79406eb211085b5f00fa80d254fc

SHA256
e7d3c444d6f075814421425c364da2e98909496a5d251a2483beb879a4d36dc8

SHA512
b89f0a89e5da1ed8b2c2c3256803ca67b0ae8a651310b792acb7fd6e5854cc1723d19bdbc9591bef8378dcd5e43ae2b0f236b8e79189ed4069aac2cdc62a44a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e976b9226eb0da72d1c5c547a6e4f894

SHA1
71971e6afaf5e06e629b0497feb45c1a6cb0bc2d

SHA256
7fc8eaa3b31f6a4d40c695c4ce5ed168d20079a98c23a37247fb8f2bb62af46b

SHA512
3379e91cb9bdd9f0ac98c349913aee956b17e691e16f2af1c0b709a66d30641f5e3f213961470ae155340bc59f05bced7d369d18fcfe24000596fd0f4f94e77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat
Filesize
237B

MD5
2a3a80629926e8af2f9c970639634f55

SHA1
cfc4917692f475460a5123eb91708938d4c6a374

SHA256
36993488710fb210986d284dc81d4e65012632e06834aaef8fb3363fcd9bfb04

SHA512
827605494cff53966048aa9d734f3ab0ea774fd84885797a7ab24a6bda23827a98a3079eb9a2cf2e7ae27d0d86407a4f990d5a2862b791b4c16059cf74233dee

Download Submit
memory/396-138-0x0000000000000000-mapping.dmp

Download
memory/444-148-0x0000000000000000-mapping.dmp

Download
memory/1000-147-0x0000000000000000-mapping.dmp

Download
memory/2208-164-0x00000000706B0000-0x00000000706FC000-memory.dmp

Filesize
304KB

Download
memory/2208-161-0x0000000000000000-mapping.dmp

Download
memory/2316-149-0x0000000000000000-mapping.dmp

Download
memory/4400-134-0x0000000006230000-0x00000000062C2000-memory.dmp

Filesize
584KB

Download
memory/4400-130-0x00000000004E0000-0x000000000058A000-memory.dmp

Filesize
680KB

Download
memory/4400-131-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/4672-140-0x0000000000000000-mapping.dmp

Download
memory/4672-155-0x0000000007A60000-0x0000000007A6A000-memory.dmp

Filesize
40KB

Download
memory/4672-146-0x0000000006700000-0x000000000671E000-memory.dmp

Filesize
120KB

Download
memory/4672-144-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/4672-143-0x0000000005740000-0x0000000005762000-memory.dmp

Filesize
136KB

Download
memory/4672-142-0x00000000058B0000-0x0000000005ED8000-memory.dmp

Filesize
6.2MB

Download
memory/4672-150-0x00000000078B0000-0x00000000078E2000-memory.dmp

Filesize
200KB

Download
memory/4672-151-0x00000000700A0000-0x00000000700EC000-memory.dmp

Filesize
304KB

Download
memory/4672-152-0x0000000006CB0000-0x0000000006CCE000-memory.dmp

Filesize
120KB

Download
memory/4672-153-0x0000000008040000-0x00000000086BA000-memory.dmp

Filesize
6.5MB

Download
memory/4672-154-0x0000000007A00000-0x0000000007A1A000-memory.dmp

Filesize
104KB

Download
memory/4672-145-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/4672-156-0x0000000007C90000-0x0000000007D26000-memory.dmp

Filesize
600KB

Download
memory/4672-157-0x0000000007C30000-0x0000000007C3E000-memory.dmp

Filesize
56KB

Download
memory/4672-141-0x0000000005140000-0x0000000005176000-memory.dmp

Filesize
216KB

Download
memory/4672-159-0x0000000007D50000-0x0000000007D6A000-memory.dmp

Filesize
104KB

Download
memory/4672-160-0x0000000007C80000-0x0000000007C88000-memory.dmp

Filesize
32KB

Download
memory/4776-158-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4776-137-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4776-136-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4776-133-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4776-132-0x0000000000000000-mapping.dmp

Download
memory/5020-165-0x0000000000000000-mapping.dmp

Download
memory/5020-167-0x0000000070690000-0x00000000706DC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads