icexloader | 1c02aa46e645e18f7e7519e495d620382c15ba3393e3270d0d7ab49c0cec1e43

General

Target

file.exe
Size

348KB
MD5

0c61bb3f03912694a8aca92128ca2a0e
SHA1

55605146730ab41ac75841776e41ca399614e874
SHA256

1c02aa46e645e18f7e7519e495d620382c15ba3393e3270d0d7ab49c0cec1e43
SHA512

3a5bc932deedcdb2c4cb5aa61b4ba0e794d52752f4f6ee71350d6fa5e2da9021ddbfe55f10e03be946dbd96cf560d7492aa7e6adedd12b19fb50fb2438ac6e18
SSDEEP

6144:2bslI7/8DtZ1WMYORbxV9bwEn8gfyVQhAyPlb/2:2bvUPEMtjwE3fyVQhAyPlb/2

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICE X.exe	file.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	file.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	file.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4424	powershell.exe
4424	powershell.exe
2320	powershell.exe
2320	powershell.exe
3460	powershell.exe
3460	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeRemoteShutdownPrivilege	4752	file.exe
Token: SeRemoteShutdownPrivilege	4752	file.exe
Token: SeRemoteShutdownPrivilege	4752	file.exe
Token: SeRemoteShutdownPrivilege	4752	file.exe
Token: SeRemoteShutdownPrivilege	4752	file.exe
Token: SeRemoteShutdownPrivilege	4752	file.exe
Token: SeRemoteShutdownPrivilege	4752	file.exe
Token: SeRemoteShutdownPrivilege	4752	file.exe
Token: SeRemoteShutdownPrivilege	4752	file.exe
Token: SeRemoteShutdownPrivilege	4752	file.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4080	4752	file.exe	84
PID 4752 wrote to memory of 4080	4752	file.exe	84
PID 4752 wrote to memory of 4080	4752	file.exe	84
PID 4080 wrote to memory of 4424	4080	cmd.exe	86
PID 4080 wrote to memory of 4424	4080	cmd.exe	86
PID 4080 wrote to memory of 4424	4080	cmd.exe	86
PID 4080 wrote to memory of 2320	4080	cmd.exe	87
PID 4080 wrote to memory of 2320	4080	cmd.exe	87
PID 4080 wrote to memory of 2320	4080	cmd.exe	87
PID 4080 wrote to memory of 3460	4080	cmd.exe	88
PID 4080 wrote to memory of 3460	4080	cmd.exe	88
PID 4080 wrote to memory of 3460	4080	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4424
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\ICE X\.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3681926190905016f882c92c3c852dfc

SHA1
7a8c8057bd2378473ec338ccd0afbc0cad209734

SHA256
dd35cb2e6646cd3d400fd55bc014c524f3c8f1459338abd9ed4d0011a9e2eddb

SHA512
9e20b5d25591ce5ec9ceee8138ad8f857f6728ac9b0acd590d6b56ada65b3f54f9201b21faec67217cfdc5124bf075f6ea25474de1ad30a050b2d6db208f97c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
54def8e2af51f1a542d4faec9a7ca0b6

SHA1
264980abdb5eba46de03155fc0c5439c4e5f2795

SHA256
3ae27402c01a3c3668c775b722197689bba55d0787a2b1af87444196e721cfd0

SHA512
0027ba905828c0ee1e3b87bf03289b22725441b3fe69e36233b19f7a792a815408aa50ffe194cf73bd7ca6602001da75ff6d3cbf3bfdf4ba1e33b9f26801950f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
239B

MD5
f6e9a890d89cbc6684cc81fdba858cb4

SHA1
352924f71a6debb722a31af9d9a2c9bc157f6593

SHA256
7300f298f3baf29ec7dfcffb6ed84a14eea910dd323d845f9c343990b8754c51

SHA512
e0ddd4bdc29b355937be75ea90b1c8a0b4e9ce631364fcc35635a7f33b7e00a4a245402456cf17364a91a61cf1a551f2fb49d3f25133a4e488a5f379014264d9

Download Submit
memory/2320-154-0x00000000705B0000-0x00000000705FC000-memory.dmp

Filesize
304KB

Download
memory/3460-157-0x00000000705B0000-0x00000000705FC000-memory.dmp

Filesize
304KB

Download
memory/4424-144-0x0000000007D50000-0x00000000083CA000-memory.dmp

Filesize
6.5MB

Download
memory/4424-150-0x0000000007980000-0x0000000007988000-memory.dmp

Filesize
32KB

Download
memory/4424-143-0x00000000069C0000-0x00000000069DE000-memory.dmp

Filesize
120KB

Download
memory/4424-141-0x0000000006A00000-0x0000000006A32000-memory.dmp

Filesize
200KB

Download
memory/4424-145-0x0000000007700000-0x000000000771A000-memory.dmp

Filesize
104KB

Download
memory/4424-146-0x0000000007760000-0x000000000776A000-memory.dmp

Filesize
40KB

Download
memory/4424-147-0x0000000007990000-0x0000000007A26000-memory.dmp

Filesize
600KB

Download
memory/4424-148-0x0000000007940000-0x000000000794E000-memory.dmp

Filesize
56KB

Download
memory/4424-149-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/4424-142-0x00000000705B0000-0x00000000705FC000-memory.dmp

Filesize
304KB

Download
memory/4424-140-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/4424-139-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/4424-138-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/4424-137-0x0000000005520000-0x0000000005542000-memory.dmp

Filesize
136KB

Download
memory/4424-136-0x0000000005810000-0x0000000005E38000-memory.dmp

Filesize
6.2MB

Download
memory/4424-135-0x0000000002AE0000-0x0000000002B16000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing