Behavioral Report

General

Target

ICEY LOADER 2022.exe
Size

4MB
MD5

170343dae67f141321e31a6b1bf981f4
SHA1

322d6493902eb57c4459e87dfea219b8aed9ba44
SHA256

c23e8f61e677667f91254417a9dcd50bb07ba2675e0f011e34f36d977c57dbf2
SHA512

f89895ea2778362866408fbbd7d12164440d9a98b02eb325d7d820a6fcdac4c4046460909b7c62f1937cd60c0546dd74c4dc4d502fd58722183f9c7b951ef727
SSDEEP

6144:KSncRldLV6Bta6dtJmakIM54uZ97mtdX5iSHk:H4nLV6Btpmk7uZYnp5k

Score

10^/10

mercurialgrabber nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family	nanocore
Version	1.2.2.0
C2	hackenamin.duckdns.org:8080 127.0.0.1:8080 hackenamin.duckdns.org:8080 127.0.0.1:8080
Attributes	activate_away_mode true backup_connection_host 127.0.0.1 backup_dns_server 8.8.4.4 buffer_size 65535 build_time 2022-05-07T11:48:21.790283936Z bypass_user_account_control true bypass_user_account_control_data clear_access_control true clear_zone_identifier false connect_delay 4000 connection_port 8080 default_group Default enable_debug_mode true gc_threshold 1.048576e+07 keep_alive_timeout 30000 keyboard_logging false lan_timeout 2500 max_packet_size 1.048576e+07 mutex 35523077-e7cb-4a73-80a9-6f6f0dc2b313 mutex_timeout 5000 prevent_system_sleep false primary_connection_host hackenamin.duckdns.org primary_dns_server 8.8.8.8 request_elevation true restart_delay 5000 run_delay 0 run_on_startup false set_critical_process true timeout_interval 5000 use_custom_dns_server false version 1.2.2.0 wan_timeout 8000

Extracted

Family	mercurialgrabber
C2	https://discord.com/api/webhooks/1001432779277488129/ds6qwagh9qP4fRBOS0tRY_aM9hwOb5u7JARhwuzCEBGuhKBT8AQuW2d7u1RzTBLa_LSp https://discord.com/api/webhooks/1001432779277488129/ds6qwagh9qP4fRBOS0tRY_aM9hwOb5u7JARhwuzCEBGuhKBT8AQuW2d7u1RzTBLa_LSp

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Looks for VirtualBox Guest Additions in registry ⋅ 2 TTPs 1 IoCs
evasion

TTPs:

Query Registry Virtualization/Sandbox Evasion

Processes:

OUTPUT.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions OUTPUT.EXE
Executes dropped EXE ⋅ 2 IoCs

Processes:

ICEY.EXEOUTPUT.EXE

pid process

2144 ICEY.EXE
4776 OUTPUT.EXE
Looks for VMWare Tools registry key ⋅ 2 TTPs 1 IoCs
evasion

TTPs:

Query Registry Virtualization/Sandbox Evasion

Processes:

OUTPUT.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools OUTPUT.EXE
Checks BIOS information in registry ⋅ 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

OUTPUT.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OUTPUT.EXE
Reads user/profile data of web browsers ⋅ 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

TTPs:

Data from Local System Credentials in Files

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	OUTPUT.EXE

pid	process
2144	ICEY.EXE
4776	OUTPUT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	OUTPUT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OUTPUT.EXE

Adds Run key to start application ⋅ 2 TTPs 1 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

ICEY.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe"	ICEY.EXE

Checks whether UAC is enabled ⋅ 1 TTPs 1 IoCs
evasion trojan

TTPs:

System Information Discovery

Processes:

ICEY.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ICEY.EXE
Legitimate hosting services abused for malware hosting/C2 ⋅ 1 TTPs

TTPs:

Web Service
Looks up external IP address via web service ⋅ 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip4.seeip.org
2 ip4.seeip.org
3 ip-api.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ICEY.EXE

flow	ioc
1	ip4.seeip.org
2	ip4.seeip.org
3	ip-api.com

Maps connected drives based on registry ⋅ 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

TTPs:

Query Registry Peripheral Device Discovery System Information Discovery

Processes:

OUTPUT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OUTPUT.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	OUTPUT.EXE

Drops file in Program Files directory ⋅ 2 IoCs

Processes:

ICEY.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\UDP Subsystem\udpss.exe	ICEY.EXE
File created	C:\Program Files (x86)\UDP Subsystem\udpss.exe	ICEY.EXE

Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery
Checks SCSI registry key(s) ⋅ 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.

TTPs:

Query Registry Peripheral Device Discovery System Information Discovery

Processes:

OUTPUT.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S OUTPUT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OUTPUT.EXE

Checks processor information in registry ⋅ 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

OUTPUT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OUTPUT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OUTPUT.EXE

Enumerates system info in registry ⋅ 2 TTPs 4 IoCs

TTPs:

Query Registry System Information Discovery

Processes:

OUTPUT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OUTPUT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OUTPUT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OUTPUT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OUTPUT.EXE

Suspicious behavior: EnumeratesProcesses ⋅ 6 IoCs

Processes:

ICEY.EXE

pid process

2144 ICEY.EXE
2144 ICEY.EXE
2144 ICEY.EXE
2144 ICEY.EXE
2144 ICEY.EXE
2144 ICEY.EXE
Suspicious behavior: GetForegroundWindowSpam ⋅ 1 IoCs

Processes:

ICEY.EXE

pid process

2144 ICEY.EXE
Suspicious use of AdjustPrivilegeToken ⋅ 2 IoCs

Processes:

OUTPUT.EXEICEY.EXE

description pid process

Token: SeDebugPrivilege 4776 OUTPUT.EXE
Token: SeDebugPrivilege 2144 ICEY.EXE

pid	process
2144	ICEY.EXE
2144	ICEY.EXE
2144	ICEY.EXE
2144	ICEY.EXE
2144	ICEY.EXE
2144	ICEY.EXE

pid	process
2144	ICEY.EXE

description	pid	process
Token: SeDebugPrivilege	4776	OUTPUT.EXE
Token: SeDebugPrivilege	2144	ICEY.EXE

Suspicious use of WriteProcessMemory ⋅ 5 IoCs

Processes:

ICEY LOADER 2022.exe

description	pid	process	target process
PID 2772 wrote to memory of 2144	2772	ICEY LOADER 2022.exe	ICEY.EXE
PID 2772 wrote to memory of 2144	2772	ICEY LOADER 2022.exe	ICEY.EXE
PID 2772 wrote to memory of 2144	2772	ICEY LOADER 2022.exe	ICEY.EXE
PID 2772 wrote to memory of 4776	2772	ICEY LOADER 2022.exe	OUTPUT.EXE
PID 2772 wrote to memory of 4776	2772	ICEY LOADER 2022.exe	OUTPUT.EXE

C:\Users\Admin\AppData\Local\Temp\ICEY LOADER 2022.exe

"C:\Users\Admin\AppData\Local\Temp\ICEY LOADER 2022.exe"

Suspicious use of WriteProcessMemory

PID:2772

C:\Users\Admin\AppData\Roaming\ICEY.EXE

"C:\Users\Admin\AppData\Roaming\ICEY.EXE"

Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken

PID:2144

C:\Users\Admin\AppData\Roaming\OUTPUT.EXE

"C:\Users\Admin\AppData\Roaming\OUTPUT.EXE"

Looks for VirtualBox Guest Additions in registry
Executes dropped EXE
Looks for VMWare Tools registry key
Checks BIOS information in registry
Maps connected drives based on registry
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken

PID:4776

Network

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Roaming\ICEY.EXE
MD5
149e0f200d7c8cb4a68c481c9d8f0665

SHA1
b478e1f92ea85edeb436b4f96d4eac4ffa958ce4

SHA256
3f8dd41671c3b19a4c40951582e22189f7c7157061901a61bfb2e81cea18f0f7

SHA512
510b2996ceefa32ef6f682226c49845b7b5e70732dc1d635f70abf9f6b333e5513d29b156d86869e0dd43ebf1682c54a1da7b09f250948038ecf36b4fb8fe489

Download Submit
C:\Users\Admin\AppData\Roaming\ICEY.EXE
MD5
149e0f200d7c8cb4a68c481c9d8f0665

SHA1
b478e1f92ea85edeb436b4f96d4eac4ffa958ce4

SHA256
3f8dd41671c3b19a4c40951582e22189f7c7157061901a61bfb2e81cea18f0f7

SHA512
510b2996ceefa32ef6f682226c49845b7b5e70732dc1d635f70abf9f6b333e5513d29b156d86869e0dd43ebf1682c54a1da7b09f250948038ecf36b4fb8fe489

Download Submit
C:\Users\Admin\AppData\Roaming\OUTPUT.EXE
MD5
0c8ac4b0c3a0f0e690a9710428937449

SHA1
0c85c9c54e8a74b96420bc928c1c0241ad4f0ce1

SHA256
7aa6077865dd7845b51a14260492d6f68f76a47498059ee92d015cba2079ff1b

SHA512
fa22a9601207c23065b13f4754a97ab8f5d42b8b878f5a4032be4dcc94bde2f65d2b51e958b111618b8487a88ea65e341950f51ec216f18377bdc06062460006

Download Submit
C:\Users\Admin\AppData\Roaming\OUTPUT.EXE
MD5
0c8ac4b0c3a0f0e690a9710428937449

SHA1
0c85c9c54e8a74b96420bc928c1c0241ad4f0ce1

SHA256
7aa6077865dd7845b51a14260492d6f68f76a47498059ee92d015cba2079ff1b

SHA512
fa22a9601207c23065b13f4754a97ab8f5d42b8b878f5a4032be4dcc94bde2f65d2b51e958b111618b8487a88ea65e341950f51ec216f18377bdc06062460006

Download Submit
memory/2144-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-211-0x0000000073D90000-0x0000000074340000-memory.dmp

Download
memory/2144-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-185-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-186-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-158-0x0000000000000000-mapping.dmp

Download
memory/2144-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2144-231-0x0000000073D90000-0x0000000074340000-memory.dmp

Download
memory/2144-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-117-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-116-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/2772-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Download
memory/4776-173-0x0000000000C90000-0x0000000000CA0000-memory.dmp

Download
memory/4776-161-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads