icexloader | e5527ba4613d78e45884b5808a809cd904e5199f485536aafe4634220f04027f

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13-09-2022 17:50

Target

eb7c350d1a43a8af985e8daba7add09a.exe
Size

348KB
MD5

eb7c350d1a43a8af985e8daba7add09a
SHA1

1f73832140e0520f9e6c84c6930ed0b4f2e1f43e
SHA256

e5527ba4613d78e45884b5808a809cd904e5199f485536aafe4634220f04027f
SHA512

af36e040dcd972e11c6d274c856abcd24bd708cca05c047489cbb0d35eed3e55db43562778c00243775983323d450ca1c7cf5541b1c3ef0f5ac114399348a64d
SSDEEP

6144:6bslI7rAzZV2MYORe5V9bZncY1xH1yVQhAyPlq/Y:6bvrkEMtqZD1yVQhAyPlq/Y

Score

10^/10

icexloader loader

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1744 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1744 powershell.exe

pid	process
1744	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1744	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

eb7c350d1a43a8af985e8daba7add09a.execmd.exe

description	pid	process	target process
PID 1648 wrote to memory of 2028	1648	eb7c350d1a43a8af985e8daba7add09a.exe	cmd.exe
PID 1648 wrote to memory of 2028	1648	eb7c350d1a43a8af985e8daba7add09a.exe	cmd.exe
PID 1648 wrote to memory of 2028	1648	eb7c350d1a43a8af985e8daba7add09a.exe	cmd.exe
PID 1648 wrote to memory of 2028	1648	eb7c350d1a43a8af985e8daba7add09a.exe	cmd.exe
PID 2028 wrote to memory of 1744	2028	cmd.exe	powershell.exe
PID 2028 wrote to memory of 1744	2028	cmd.exe	powershell.exe
PID 2028 wrote to memory of 1744	2028	cmd.exe	powershell.exe
PID 2028 wrote to memory of 1744	2028	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\eb7c350d1a43a8af985e8daba7add09a.exe
"C:\Users\Admin\AppData\Local\Temp\eb7c350d1a43a8af985e8daba7add09a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\file.bat
Filesize
219B

MD5
f290b0832e7d0bbaba2e292943f95918

SHA1
5823ddb6681b7b6daa3c18c79b728c1c9dea3b42

SHA256
50f4b3965252b84a58afcdbd425e2162477947d067d5c36adc5a249f37bd8103

SHA512
df3128dc0c16fefebb1397668a5c7deb861d4d1ffe545172e1d39eba16aff6f4e3d068d149fda88306fab881d7438eda5c9f6d565c31594615b6ec1d6e88b707

Download Submit
memory/1648-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1744-57-0x0000000000000000-mapping.dmp

Download
memory/1744-59-0x0000000073A60000-0x000000007400B000-memory.dmp

Filesize
5.7MB

Download
memory/1744-60-0x0000000073A60000-0x000000007400B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-55-0x0000000000000000-mapping.dmp

Download