Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
24-09-2022 11:17
General
-
Target
ICEY LOADER 2022.exe
-
Size
4.8MB
-
MD5
170343dae67f141321e31a6b1bf981f4
-
SHA1
322d6493902eb57c4459e87dfea219b8aed9ba44
-
SHA256
c23e8f61e677667f91254417a9dcd50bb07ba2675e0f011e34f36d977c57dbf2
-
SHA512
f89895ea2778362866408fbbd7d12164440d9a98b02eb325d7d820a6fcdac4c4046460909b7c62f1937cd60c0546dd74c4dc4d502fd58722183f9c7b951ef727
-
SSDEEP
6144:KSncRldLV6Bta6dtJmakIM54uZ97mtdX5iSHk:H4nLV6Btpmk7uZYnp5k
Malware Config
Extracted
nanocore
1.2.2.0
hackenamin.duckdns.org:8080
127.0.0.1:8080
35523077-e7cb-4a73-80a9-6f6f0dc2b313
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-05-07T11:48:21.790283936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8080
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
35523077-e7cb-4a73-80a9-6f6f0dc2b313
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
hackenamin.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1001432779277488129/ds6qwagh9qP4fRBOS0tRY_aM9hwOb5u7JARhwuzCEBGuhKBT8AQuW2d7u1RzTBLa_LSp
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ICEY LOADER 2022.exe"C:\Users\Admin\AppData\Local\Temp\ICEY LOADER 2022.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ICEY.EXE"C:\Users\Admin\AppData\Roaming\ICEY.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\OUTPUT.EXE"C:\Users\Admin\AppData\Roaming\OUTPUT.EXE"2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ICEY.EXEFilesize
203KB
MD5149e0f200d7c8cb4a68c481c9d8f0665
SHA1b478e1f92ea85edeb436b4f96d4eac4ffa958ce4
SHA2563f8dd41671c3b19a4c40951582e22189f7c7157061901a61bfb2e81cea18f0f7
SHA512510b2996ceefa32ef6f682226c49845b7b5e70732dc1d635f70abf9f6b333e5513d29b156d86869e0dd43ebf1682c54a1da7b09f250948038ecf36b4fb8fe489
-
C:\Users\Admin\AppData\Roaming\ICEY.EXEFilesize
203KB
MD5149e0f200d7c8cb4a68c481c9d8f0665
SHA1b478e1f92ea85edeb436b4f96d4eac4ffa958ce4
SHA2563f8dd41671c3b19a4c40951582e22189f7c7157061901a61bfb2e81cea18f0f7
SHA512510b2996ceefa32ef6f682226c49845b7b5e70732dc1d635f70abf9f6b333e5513d29b156d86869e0dd43ebf1682c54a1da7b09f250948038ecf36b4fb8fe489
-
C:\Users\Admin\AppData\Roaming\OUTPUT.EXEFilesize
41KB
MD50c8ac4b0c3a0f0e690a9710428937449
SHA10c85c9c54e8a74b96420bc928c1c0241ad4f0ce1
SHA2567aa6077865dd7845b51a14260492d6f68f76a47498059ee92d015cba2079ff1b
SHA512fa22a9601207c23065b13f4754a97ab8f5d42b8b878f5a4032be4dcc94bde2f65d2b51e958b111618b8487a88ea65e341950f51ec216f18377bdc06062460006
-
C:\Users\Admin\AppData\Roaming\OUTPUT.EXEFilesize
41KB
MD50c8ac4b0c3a0f0e690a9710428937449
SHA10c85c9c54e8a74b96420bc928c1c0241ad4f0ce1
SHA2567aa6077865dd7845b51a14260492d6f68f76a47498059ee92d015cba2079ff1b
SHA512fa22a9601207c23065b13f4754a97ab8f5d42b8b878f5a4032be4dcc94bde2f65d2b51e958b111618b8487a88ea65e341950f51ec216f18377bdc06062460006
-
memory/2144-175-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-211-0x0000000073D90000-0x0000000074340000-memory.dmpFilesize
5.7MB
-
memory/2144-183-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-182-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-181-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-180-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-179-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-178-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-177-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-176-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-185-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-186-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-171-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-184-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-174-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-169-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-168-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-167-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-166-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-165-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-164-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-158-0x0000000000000000-mapping.dmp
-
memory/2144-160-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2144-231-0x0000000073D90000-0x0000000074340000-memory.dmpFilesize
5.7MB
-
memory/2144-162-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-134-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-138-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-147-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-148-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-149-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-150-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-151-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-152-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-153-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-154-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-155-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-156-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-157-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-145-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-117-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-146-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-144-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-143-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-142-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-140-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-139-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-141-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-137-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-136-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-135-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-118-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-116-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-133-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-132-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-131-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-130-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-129-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-128-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-127-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-126-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-125-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-124-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-123-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-122-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-121-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-120-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/2772-119-0x00000000779B0000-0x0000000077B3E000-memory.dmpFilesize
1.6MB
-
memory/4776-173-0x0000000000C90000-0x0000000000CA0000-memory.dmpFilesize
64KB
-
memory/4776-161-0x0000000000000000-mapping.dmp