General

  • Target

    file

  • Size

    798KB

  • Sample

    221022-y52vsaeeh2

  • MD5

    f22767b6260d5c30146637eb8bb602c8

  • SHA1

    f9172f701a0c3957af1801e25951d6cd154e67ec

  • SHA256

    8982e072b2b380555b308d7180ee08b36e524907668b0f6f98f9136bbe93ac13

  • SHA512

    749174038409ad519527ae2f29200a1cc9a0ddd6d767e7d15f43053e9e6bb33578bce8739305aaf1e26ef34de1a0afb914bbe19a9a0ea6fc8036a8bee714da9b

  • SSDEEP

    3072:lahKyd2n3165U1SXdkLPdf/RVJzKEANr8qkCr:lahO7IsRVJz0rO

Malware Config

Extracted

Family

icexloader

C2

http://stealthelite.one/magnumopus/Script.php

Targets

    • Target

      file

    • Size

      798KB

    • MD5

      f22767b6260d5c30146637eb8bb602c8

    • SHA1

      f9172f701a0c3957af1801e25951d6cd154e67ec

    • SHA256

      8982e072b2b380555b308d7180ee08b36e524907668b0f6f98f9136bbe93ac13

    • SHA512

      749174038409ad519527ae2f29200a1cc9a0ddd6d767e7d15f43053e9e6bb33578bce8739305aaf1e26ef34de1a0afb914bbe19a9a0ea6fc8036a8bee714da9b

    • SSDEEP

      3072:lahKyd2n3165U1SXdkLPdf/RVJzKEANr8qkCr:lahO7IsRVJz0rO

    • Detects IceXLoader v3.0

    • icexloader

      IceXLoader is a downloader used to deliver other malware families.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks