icexloader | e5527ba4613d78e45884b5808a809cd904e5199f485536aafe4634220f04027f

General

Target

eb7c350d1a43a8af985e8daba7add09a.exe
Size

348KB
MD5

eb7c350d1a43a8af985e8daba7add09a
SHA1

1f73832140e0520f9e6c84c6930ed0b4f2e1f43e
SHA256

e5527ba4613d78e45884b5808a809cd904e5199f485536aafe4634220f04027f
SHA512

af36e040dcd972e11c6d274c856abcd24bd708cca05c047489cbb0d35eed3e55db43562778c00243775983323d450ca1c7cf5541b1c3ef0f5ac114399348a64d
SSDEEP

6144:6bslI7rAzZV2MYORe5V9bZncY1xH1yVQhAyPlq/Y:6bvrkEMtqZD1yVQhAyPlq/Y

Score

10^/10

icexloader loader

Malware Config

Signatures

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2076 powershell.exe
2076 powershell.exe
3748 powershell.exe
3748 powershell.exe
4572 powershell.exe
4572 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2076 powershell.exe
Token: SeDebugPrivilege 3748 powershell.exe
Token: SeDebugPrivilege 4572 powershell.exe

pid	process
2076	powershell.exe
2076	powershell.exe
3748	powershell.exe
3748	powershell.exe
4572	powershell.exe
4572	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

eb7c350d1a43a8af985e8daba7add09a.execmd.exe

description	pid	process	target process
PID 4784 wrote to memory of 4252	4784	eb7c350d1a43a8af985e8daba7add09a.exe	cmd.exe
PID 4784 wrote to memory of 4252	4784	eb7c350d1a43a8af985e8daba7add09a.exe	cmd.exe
PID 4784 wrote to memory of 4252	4784	eb7c350d1a43a8af985e8daba7add09a.exe	cmd.exe
PID 4252 wrote to memory of 2076	4252	cmd.exe	powershell.exe
PID 4252 wrote to memory of 2076	4252	cmd.exe	powershell.exe
PID 4252 wrote to memory of 2076	4252	cmd.exe	powershell.exe
PID 4252 wrote to memory of 3748	4252	cmd.exe	powershell.exe
PID 4252 wrote to memory of 3748	4252	cmd.exe	powershell.exe
PID 4252 wrote to memory of 3748	4252	cmd.exe	powershell.exe
PID 4252 wrote to memory of 4572	4252	cmd.exe	powershell.exe
PID 4252 wrote to memory of 4572	4252	cmd.exe	powershell.exe
PID 4252 wrote to memory of 4572	4252	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\eb7c350d1a43a8af985e8daba7add09a.exe
"C:\Users\Admin\AppData\Local\Temp\eb7c350d1a43a8af985e8daba7add09a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\Z\.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
13b703331c4dd58ff3e337c9602209b6

SHA1
234b4ee2571661110b491503261bccf61f2246c8

SHA256
19df53e1f2b7d54dcfaccb6566415ba5ee81d753cf0ca2fa70840cb0044a43c9

SHA512
ac155892820288d33569705971f03471bd286b573f3a0961acb22e06c64b1f34cc8244ee273b3743f1af508de2f95d4e1210dc3c513a40a82529eaf9abf5e07e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
892e29a5741d594409e3bc2eff7d556f

SHA1
fa8e82c25fd9e7543158d9f28f4ae835034af104

SHA256
b899ac66ee5a905a03d31c9e7e79deae2f61c2d4a2581a0ed59210764357465b

SHA512
150909ed5105ffc0dbc87e40d16f87a421dc7cba7c06eb14fcf4aa4b687be648a6bacad2fa1e2f7f4730c51cb1d28c5c5ac7d11623c6d3e732dc99ea77b7fd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat
Filesize
219B

MD5
f290b0832e7d0bbaba2e292943f95918

SHA1
5823ddb6681b7b6daa3c18c79b728c1c9dea3b42

SHA256
50f4b3965252b84a58afcdbd425e2162477947d067d5c36adc5a249f37bd8103

SHA512
df3128dc0c16fefebb1397668a5c7deb861d4d1ffe545172e1d39eba16aff6f4e3d068d149fda88306fab881d7438eda5c9f6d565c31594615b6ec1d6e88b707

Download Submit
memory/2076-144-0x0000000007970000-0x0000000007FEA000-memory.dmp

Filesize
6.5MB

Download
memory/2076-147-0x00000000075C0000-0x0000000007656000-memory.dmp

Filesize
600KB

Download
memory/2076-138-0x0000000005200000-0x0000000005266000-memory.dmp

Filesize
408KB

Download
memory/2076-139-0x0000000005320000-0x0000000005386000-memory.dmp

Filesize
408KB

Download
memory/2076-140-0x0000000006020000-0x000000000603E000-memory.dmp

Filesize
120KB

Download
memory/2076-141-0x00000000071D0000-0x0000000007202000-memory.dmp

Filesize
200KB

Download
memory/2076-142-0x0000000070A70000-0x0000000070ABC000-memory.dmp

Filesize
304KB

Download
memory/2076-143-0x00000000065D0000-0x00000000065EE000-memory.dmp

Filesize
120KB

Download
memory/2076-134-0x0000000000000000-mapping.dmp

Download
memory/2076-145-0x0000000007330000-0x000000000734A000-memory.dmp

Filesize
104KB

Download
memory/2076-146-0x0000000007390000-0x000000000739A000-memory.dmp

Filesize
40KB

Download
memory/2076-137-0x0000000005160000-0x0000000005182000-memory.dmp

Filesize
136KB

Download
memory/2076-148-0x0000000007560000-0x000000000756E000-memory.dmp

Filesize
56KB

Download
memory/2076-149-0x0000000007680000-0x000000000769A000-memory.dmp

Filesize
104KB

Download
memory/2076-150-0x00000000075B0000-0x00000000075B8000-memory.dmp

Filesize
32KB

Download
memory/2076-135-0x0000000000F30000-0x0000000000F66000-memory.dmp

Filesize
216KB

Download
memory/2076-136-0x0000000005410000-0x0000000005A38000-memory.dmp

Filesize
6.2MB

Download
memory/3748-151-0x0000000000000000-mapping.dmp

Download
memory/3748-154-0x0000000070A70000-0x0000000070ABC000-memory.dmp

Filesize
304KB

Download
memory/4252-132-0x0000000000000000-mapping.dmp

Download
memory/4572-155-0x0000000000000000-mapping.dmp

Download
memory/4572-157-0x0000000070A70000-0x0000000070ABC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads