icexloader | 1c02aa46e645e18f7e7519e495d620382c15ba3393e3270d0d7ab49c0cec1e43

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-08-2022 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

348KB
MD5

0c61bb3f03912694a8aca92128ca2a0e
SHA1

55605146730ab41ac75841776e41ca399614e874
SHA256

1c02aa46e645e18f7e7519e495d620382c15ba3393e3270d0d7ab49c0cec1e43
SHA512

3a5bc932deedcdb2c4cb5aa61b4ba0e794d52752f4f6ee71350d6fa5e2da9021ddbfe55f10e03be946dbd96cf560d7492aa7e6adedd12b19fb50fb2438ac6e18
SSDEEP

6144:2bslI7/8DtZ1WMYORbxV9bwEn8gfyVQhAyPlb/2:2bvUPEMtjwE3fyVQhAyPlb/2

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICE X.exe	file.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	file.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	file.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1972	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 1760	1440	file.exe	28
PID 1440 wrote to memory of 1760	1440	file.exe	28
PID 1440 wrote to memory of 1760	1440	file.exe	28
PID 1440 wrote to memory of 1760	1440	file.exe	28
PID 1760 wrote to memory of 1972	1760	cmd.exe	30
PID 1760 wrote to memory of 1972	1760	cmd.exe	30
PID 1760 wrote to memory of 1972	1760	cmd.exe	30
PID 1760 wrote to memory of 1972	1760	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
239B

MD5
f6e9a890d89cbc6684cc81fdba858cb4

SHA1
352924f71a6debb722a31af9d9a2c9bc157f6593

SHA256
7300f298f3baf29ec7dfcffb6ed84a14eea910dd323d845f9c343990b8754c51

SHA512
e0ddd4bdc29b355937be75ea90b1c8a0b4e9ce631364fcc35635a7f33b7e00a4a245402456cf17364a91a61cf1a551f2fb49d3f25133a4e488a5f379014264d9

Download Submit
memory/1440-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1972-59-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-60-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download