icexloader | 1c02aa46e645e18f7e7519e495d620382c15ba3393e3270d0d7ab49c0cec1e43

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-08-2022 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

348KB
MD5

0c61bb3f03912694a8aca92128ca2a0e
SHA1

55605146730ab41ac75841776e41ca399614e874
SHA256

1c02aa46e645e18f7e7519e495d620382c15ba3393e3270d0d7ab49c0cec1e43
SHA512

3a5bc932deedcdb2c4cb5aa61b4ba0e794d52752f4f6ee71350d6fa5e2da9021ddbfe55f10e03be946dbd96cf560d7492aa7e6adedd12b19fb50fb2438ac6e18
SSDEEP

6144:2bslI7/8DtZ1WMYORbxV9bwEn8gfyVQhAyPlb/2:2bvUPEMtjwE3fyVQhAyPlb/2

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader
Drops startup file 1 IoCs

Processes:

file.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICE X.exe file.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICE X.exe	file.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	file.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	file.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1972 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1972 powershell.exe

pid	process
1972	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1972	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

file.execmd.exe

description	pid	process	target process
PID 1440 wrote to memory of 1760	1440	file.exe	cmd.exe
PID 1440 wrote to memory of 1760	1440	file.exe	cmd.exe
PID 1440 wrote to memory of 1760	1440	file.exe	cmd.exe
PID 1440 wrote to memory of 1760	1440	file.exe	cmd.exe
PID 1760 wrote to memory of 1972	1760	cmd.exe	powershell.exe
PID 1760 wrote to memory of 1972	1760	cmd.exe	powershell.exe
PID 1760 wrote to memory of 1972	1760	cmd.exe	powershell.exe
PID 1760 wrote to memory of 1972	1760	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file.bat
Filesize
239B

MD5
f6e9a890d89cbc6684cc81fdba858cb4

SHA1
352924f71a6debb722a31af9d9a2c9bc157f6593

SHA256
7300f298f3baf29ec7dfcffb6ed84a14eea910dd323d845f9c343990b8754c51

SHA512
e0ddd4bdc29b355937be75ea90b1c8a0b4e9ce631364fcc35635a7f33b7e00a4a245402456cf17364a91a61cf1a551f2fb49d3f25133a4e488a5f379014264d9

Download Submit
memory/1440-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1760-55-0x0000000000000000-mapping.dmp

Download
memory/1972-57-0x0000000000000000-mapping.dmp

Download
memory/1972-59-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-60-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download