Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2022 11:17
Behavioral task
behavioral1
Sample
ICEY LOADER 2022.exe
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
ICEY LOADER 2022.exe
Resource
win10v2004-20220812-en
General
-
Target
ICEY LOADER 2022.exe
-
Size
4.8MB
-
MD5
170343dae67f141321e31a6b1bf981f4
-
SHA1
322d6493902eb57c4459e87dfea219b8aed9ba44
-
SHA256
c23e8f61e677667f91254417a9dcd50bb07ba2675e0f011e34f36d977c57dbf2
-
SHA512
f89895ea2778362866408fbbd7d12164440d9a98b02eb325d7d820a6fcdac4c4046460909b7c62f1937cd60c0546dd74c4dc4d502fd58722183f9c7b951ef727
-
SSDEEP
6144:KSncRldLV6Bta6dtJmakIM54uZ97mtdX5iSHk:H4nLV6Btpmk7uZYnp5k
Malware Config
Extracted
nanocore
1.2.2.0
hackenamin.duckdns.org:8080
127.0.0.1:8080
35523077-e7cb-4a73-80a9-6f6f0dc2b313
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-05-07T11:48:21.790283936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8080
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
35523077-e7cb-4a73-80a9-6f6f0dc2b313
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
hackenamin.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1001432779277488129/ds6qwagh9qP4fRBOS0tRY_aM9hwOb5u7JARhwuzCEBGuhKBT8AQuW2d7u1RzTBLa_LSp
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
OUTPUT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions OUTPUT.EXE -
Executes dropped EXE 2 IoCs
Processes:
ICEY.EXEOUTPUT.EXEpid process 5012 ICEY.EXE 4928 OUTPUT.EXE -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
OUTPUT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools OUTPUT.EXE -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
OUTPUT.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OUTPUT.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ICEY LOADER 2022.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ICEY LOADER 2022.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ICEY.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" ICEY.EXE -
Processes:
ICEY.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ICEY.EXE -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip4.seeip.org 5 ip4.seeip.org 8 ip-api.com -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
OUTPUT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum OUTPUT.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 OUTPUT.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
ICEY.EXEdescription ioc process File created C:\Program Files (x86)\DDP Host\ddphost.exe ICEY.EXE File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe ICEY.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
OUTPUT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S OUTPUT.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
OUTPUT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OUTPUT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OUTPUT.EXE -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
OUTPUT.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation OUTPUT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer OUTPUT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName OUTPUT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 OUTPUT.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ICEY.EXEpid process 5012 ICEY.EXE 5012 ICEY.EXE 5012 ICEY.EXE 5012 ICEY.EXE 5012 ICEY.EXE 5012 ICEY.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ICEY.EXEpid process 5012 ICEY.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
OUTPUT.EXEICEY.EXEdescription pid process Token: SeDebugPrivilege 4928 OUTPUT.EXE Token: SeDebugPrivilege 5012 ICEY.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
ICEY LOADER 2022.exedescription pid process target process PID 4260 wrote to memory of 5012 4260 ICEY LOADER 2022.exe ICEY.EXE PID 4260 wrote to memory of 5012 4260 ICEY LOADER 2022.exe ICEY.EXE PID 4260 wrote to memory of 5012 4260 ICEY LOADER 2022.exe ICEY.EXE PID 4260 wrote to memory of 4928 4260 ICEY LOADER 2022.exe OUTPUT.EXE PID 4260 wrote to memory of 4928 4260 ICEY LOADER 2022.exe OUTPUT.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ICEY LOADER 2022.exe"C:\Users\Admin\AppData\Local\Temp\ICEY LOADER 2022.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ICEY.EXE"C:\Users\Admin\AppData\Roaming\ICEY.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\OUTPUT.EXE"C:\Users\Admin\AppData\Roaming\OUTPUT.EXE"2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ICEY.EXEFilesize
203KB
MD5149e0f200d7c8cb4a68c481c9d8f0665
SHA1b478e1f92ea85edeb436b4f96d4eac4ffa958ce4
SHA2563f8dd41671c3b19a4c40951582e22189f7c7157061901a61bfb2e81cea18f0f7
SHA512510b2996ceefa32ef6f682226c49845b7b5e70732dc1d635f70abf9f6b333e5513d29b156d86869e0dd43ebf1682c54a1da7b09f250948038ecf36b4fb8fe489
-
C:\Users\Admin\AppData\Roaming\ICEY.EXEFilesize
203KB
MD5149e0f200d7c8cb4a68c481c9d8f0665
SHA1b478e1f92ea85edeb436b4f96d4eac4ffa958ce4
SHA2563f8dd41671c3b19a4c40951582e22189f7c7157061901a61bfb2e81cea18f0f7
SHA512510b2996ceefa32ef6f682226c49845b7b5e70732dc1d635f70abf9f6b333e5513d29b156d86869e0dd43ebf1682c54a1da7b09f250948038ecf36b4fb8fe489
-
C:\Users\Admin\AppData\Roaming\OUTPUT.EXEFilesize
41KB
MD50c8ac4b0c3a0f0e690a9710428937449
SHA10c85c9c54e8a74b96420bc928c1c0241ad4f0ce1
SHA2567aa6077865dd7845b51a14260492d6f68f76a47498059ee92d015cba2079ff1b
SHA512fa22a9601207c23065b13f4754a97ab8f5d42b8b878f5a4032be4dcc94bde2f65d2b51e958b111618b8487a88ea65e341950f51ec216f18377bdc06062460006
-
C:\Users\Admin\AppData\Roaming\OUTPUT.EXEFilesize
41KB
MD50c8ac4b0c3a0f0e690a9710428937449
SHA10c85c9c54e8a74b96420bc928c1c0241ad4f0ce1
SHA2567aa6077865dd7845b51a14260492d6f68f76a47498059ee92d015cba2079ff1b
SHA512fa22a9601207c23065b13f4754a97ab8f5d42b8b878f5a4032be4dcc94bde2f65d2b51e958b111618b8487a88ea65e341950f51ec216f18377bdc06062460006
-
memory/4928-135-0x0000000000000000-mapping.dmp
-
memory/4928-138-0x0000000000970000-0x0000000000980000-memory.dmpFilesize
64KB
-
memory/4928-140-0x00007FFFCEC30000-0x00007FFFCF6F1000-memory.dmpFilesize
10.8MB
-
memory/4928-141-0x00007FFFCEC30000-0x00007FFFCF6F1000-memory.dmpFilesize
10.8MB
-
memory/5012-132-0x0000000000000000-mapping.dmp
-
memory/5012-139-0x0000000073770000-0x0000000073D21000-memory.dmpFilesize
5.7MB
-
memory/5012-142-0x0000000073770000-0x0000000073D21000-memory.dmpFilesize
5.7MB