icexloader | 8982e072b2b380555b308d7180ee08b36e524907668b0f6f98f9136bbe93ac13

General

Target

file.exe
Size

798KB
MD5

f22767b6260d5c30146637eb8bb602c8
SHA1

f9172f701a0c3957af1801e25951d6cd154e67ec
SHA256

8982e072b2b380555b308d7180ee08b36e524907668b0f6f98f9136bbe93ac13
SHA512

749174038409ad519527ae2f29200a1cc9a0ddd6d767e7d15f43053e9e6bb33578bce8739305aaf1e26ef34de1a0afb914bbe19a9a0ea6fc8036a8bee714da9b
SSDEEP

3072:lahKyd2n3165U1SXdkLPdf/RVJzKEANr8qkCr:lahO7IsRVJz0rO

Score

10^/10

icexloader loader persistence

Malware Config

Extracted

Family

icexloader

C2

http://stealthelite.one/magnumopus/Script.php

Signatures

Detects IceXLoader v3.0 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/820-146-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral2/memory/820-149-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral2/memory/820-150-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral2/memory/820-151-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader
Executes dropped EXE 2 IoCs

Processes:

SETUP_~1.EXESETUP_~1.EXE

pid process

4504 SETUP_~1.EXE
820 SETUP_~1.EXE

pid	process
4504	SETUP_~1.EXE
820	SETUP_~1.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SETUP_~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SETUP_~1.EXE

Drops startup file 1 IoCs

Processes:

SETUP_~1.EXE

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Opus.exe SETUP_~1.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Opus.exe	SETUP_~1.EXE

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SETUP_~1.EXEfile.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Opus = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opus.exe\""	SETUP_~1.EXE
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	SETUP_~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opus = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opus.exe\""	SETUP_~1.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	SETUP_~1.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

SETUP_~1.EXE

description pid process target process

PID 4504 set thread context of 820 4504 SETUP_~1.EXE SETUP_~1.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1884 powershell.exe
1884 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SETUP_~1.EXEpowershell.exe

description pid process

Token: SeDebugPrivilege 4504 SETUP_~1.EXE
Token: SeDebugPrivilege 1884 powershell.exe

description	pid	process	target process
PID 4504 set thread context of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE

pid	process
1884	powershell.exe
1884	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4504	SETUP_~1.EXE
Token: SeDebugPrivilege	1884	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

file.exeSETUP_~1.EXE

description	pid	process	target process
PID 2164 wrote to memory of 4504	2164	file.exe	SETUP_~1.EXE
PID 2164 wrote to memory of 4504	2164	file.exe	SETUP_~1.EXE
PID 2164 wrote to memory of 4504	2164	file.exe	SETUP_~1.EXE
PID 4504 wrote to memory of 1884	4504	SETUP_~1.EXE	powershell.exe
PID 4504 wrote to memory of 1884	4504	SETUP_~1.EXE	powershell.exe
PID 4504 wrote to memory of 1884	4504	SETUP_~1.EXE	powershell.exe
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE
PID 4504 wrote to memory of 820	4504	SETUP_~1.EXE	SETUP_~1.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA2AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
Filesize
334.1MB

MD5
e40665abba2787f3721ce00532ee17db

SHA1
dd9cd11aaa778e5e3b0810c90c659804425f0d0d

SHA256
f80d7f5e6551b8e5be0f6c857a879fbc72c9c6290bfb28bd8127e3c8c947a44d

SHA512
060d18ed8cf474f7a2c2f53647a6c36517ac620a1e80c3d19e62260cbb78a7cae1e27e6a93feb15109d115c5bba334386ff90703fa176a491f016070e6e7801c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
Filesize
334.1MB

MD5
e40665abba2787f3721ce00532ee17db

SHA1
dd9cd11aaa778e5e3b0810c90c659804425f0d0d

SHA256
f80d7f5e6551b8e5be0f6c857a879fbc72c9c6290bfb28bd8127e3c8c947a44d

SHA512
060d18ed8cf474f7a2c2f53647a6c36517ac620a1e80c3d19e62260cbb78a7cae1e27e6a93feb15109d115c5bba334386ff90703fa176a491f016070e6e7801c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
Filesize
283.8MB

MD5
ac42afd8aee2793467ee214a6025bc3d

SHA1
cdafe82ab17d981cf29f111dd24a8aec5d1f747f

SHA256
98359762ef9827a08292ab3ae66c9af1855c8f11ce376940d861ee2b5db3725d

SHA512
24160915bb7a97bdf667f2808b562f7ebf64252454d31f8a27648b9f1a39b10620f26bef1b90e0e2502d20003f23fd33091d4a3697ef7db01bf4498cf7370095

Download Submit
memory/820-145-0x0000000000000000-mapping.dmp

Download
memory/820-151-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/820-150-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/820-149-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/820-146-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1884-144-0x0000000006230000-0x000000000624A000-memory.dmp

Filesize
104KB

Download
memory/1884-141-0x00000000056E0000-0x0000000005746000-memory.dmp

Filesize
408KB

Download
memory/1884-142-0x0000000005D40000-0x0000000005D5E000-memory.dmp

Filesize
120KB

Download
memory/1884-143-0x0000000007520000-0x0000000007B9A000-memory.dmp

Filesize
6.5MB

Download
memory/1884-140-0x0000000004F30000-0x0000000004F96000-memory.dmp

Filesize
408KB

Download
memory/1884-139-0x0000000004FB0000-0x00000000055D8000-memory.dmp

Filesize
6.2MB

Download
memory/1884-138-0x0000000002410000-0x0000000002446000-memory.dmp

Filesize
216KB

Download
memory/1884-137-0x0000000000000000-mapping.dmp

Download
memory/4504-132-0x0000000000000000-mapping.dmp

Download
memory/4504-136-0x0000000006DA0000-0x0000000006DC2000-memory.dmp

Filesize
136KB

Download
memory/4504-135-0x00000000007B0000-0x0000000000800000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads