icexloader | 8982e072b2b380555b308d7180ee08b36e524907668b0f6f98f9136bbe93ac13

Analysis

max time kernel
134s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2022 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

798KB
MD5

f22767b6260d5c30146637eb8bb602c8
SHA1

f9172f701a0c3957af1801e25951d6cd154e67ec
SHA256

8982e072b2b380555b308d7180ee08b36e524907668b0f6f98f9136bbe93ac13
SHA512

749174038409ad519527ae2f29200a1cc9a0ddd6d767e7d15f43053e9e6bb33578bce8739305aaf1e26ef34de1a0afb914bbe19a9a0ea6fc8036a8bee714da9b
SSDEEP

3072:lahKyd2n3165U1SXdkLPdf/RVJzKEANr8qkCr:lahO7IsRVJz0rO

Score

10^/10

icexloader loader persistence

Malware Config

Extracted

Family

icexloader

http://stealthelite.one/magnumopus/Script.php

Signatures

Detects IceXLoader v3.0 4 IoCs

resource	yara_rule
behavioral2/memory/2552-146-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral2/memory/2552-149-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral2/memory/2552-150-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3
behavioral2/memory/2552-153-0x0000000000400000-0x0000000000451000-memory.dmp	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Executes dropped EXE 3 IoCs

pid	Process
3968	SETUP_~1.EXE
2552	SETUP_~1.EXE
4636	Opus.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SETUP_~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Opus.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Opus.exe	SETUP_~1.EXE

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	SETUP_~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opus = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opus.exe\""	SETUP_~1.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	SETUP_~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Opus = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opus.exe\""	SETUP_~1.EXE
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3968 set thread context of 2552	3968	SETUP_~1.EXE	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4936	timeout.exe
852	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3848	powershell.exe
3848	powershell.exe
4176	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3968	SETUP_~1.EXE
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	4636	Opus.exe
Token: SeDebugPrivilege	4176	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 3968	1664	file.exe	83
PID 1664 wrote to memory of 3968	1664	file.exe	83
PID 1664 wrote to memory of 3968	1664	file.exe	83
PID 3968 wrote to memory of 3848	3968	SETUP_~1.EXE	91
PID 3968 wrote to memory of 3848	3968	SETUP_~1.EXE	91
PID 3968 wrote to memory of 3848	3968	SETUP_~1.EXE	91
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 3968 wrote to memory of 2552	3968	SETUP_~1.EXE	93
PID 2552 wrote to memory of 4688	2552	SETUP_~1.EXE	94
PID 2552 wrote to memory of 4688	2552	SETUP_~1.EXE	94
PID 2552 wrote to memory of 4688	2552	SETUP_~1.EXE	94
PID 2552 wrote to memory of 2272	2552	SETUP_~1.EXE	96
PID 2552 wrote to memory of 2272	2552	SETUP_~1.EXE	96
PID 2552 wrote to memory of 2272	2552	SETUP_~1.EXE	96
PID 2272 wrote to memory of 4936	2272	cmd.exe	98
PID 2272 wrote to memory of 4936	2272	cmd.exe	98
PID 2272 wrote to memory of 4936	2272	cmd.exe	98
PID 4688 wrote to memory of 852	4688	cmd.exe	99
PID 4688 wrote to memory of 852	4688	cmd.exe	99
PID 4688 wrote to memory of 852	4688	cmd.exe	99
PID 4688 wrote to memory of 4636	4688	cmd.exe	100
PID 4688 wrote to memory of 4636	4688	cmd.exe	100
PID 4688 wrote to memory of 4636	4688	cmd.exe	100
PID 4636 wrote to memory of 4176	4636	Opus.exe	101
PID 4636 wrote to memory of 4176	4636	Opus.exe	101
PID 4636 wrote to memory of 4176	4636	Opus.exe	101

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA2AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3848
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c timeout 2 & "C:\Users\Admin\AppData\Roaming\Opus.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4688
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:852
    - - C:\Users\Admin\AppData\Roaming\Opus.exe
        
        "C:\Users\Admin\AppData\Roaming\Opus.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4636
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA2AA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c timeout 1 & del /F "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
dc801fc8f267b7b7696bfaeaff3986a3

SHA1
b7c8a880309e1c0a13952838b1ba4a7cb9d89b47

SHA256
52ee2d7f9b70ebb0441b29366a181c9d961237779c69f5bfb93266408d4b0d83

SHA512
f72693c8b7158a677ea87700e7e73d4eb5f4251ae1abf7fa7b9a4ff9212f109d1adc8fe322d6793d733e643cb3d1d458159b9dfe2bb5635a3f66945117d8b838

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
334.1MB

MD5
e40665abba2787f3721ce00532ee17db

SHA1
dd9cd11aaa778e5e3b0810c90c659804425f0d0d

SHA256
f80d7f5e6551b8e5be0f6c857a879fbc72c9c6290bfb28bd8127e3c8c947a44d

SHA512
060d18ed8cf474f7a2c2f53647a6c36517ac620a1e80c3d19e62260cbb78a7cae1e27e6a93feb15109d115c5bba334386ff90703fa176a491f016070e6e7801c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
334.1MB

MD5
e40665abba2787f3721ce00532ee17db

SHA1
dd9cd11aaa778e5e3b0810c90c659804425f0d0d

SHA256
f80d7f5e6551b8e5be0f6c857a879fbc72c9c6290bfb28bd8127e3c8c947a44d

SHA512
060d18ed8cf474f7a2c2f53647a6c36517ac620a1e80c3d19e62260cbb78a7cae1e27e6a93feb15109d115c5bba334386ff90703fa176a491f016070e6e7801c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
313.3MB

MD5
9b2eedb5bfc62ae75800f9ceb1a9bcee

SHA1
5e48e2f57e038c1900acc6d48fa2a40747f28018

SHA256
5e4d4f66a23a6e46a00749321fc0965936e50bcdfbb296b485c0bffde92fa2cb

SHA512
53b7319773fdc688bbc5dd388cc2050496a95afcd9be847a4fe1dea691ef3d5fe3982554f575ccadfd9513285d3765a0687260337ba22e8ddfd4dbd18b939d4d

Download Submit
C:\Users\Admin\AppData\Roaming\Opus.exe

Filesize
200.2MB

MD5
64a1c0e1c0c759899a3ad60fa0626a24

SHA1
cd715461fc7615ae8a98510b6b53f4e8faff6945

SHA256
a2e0ab4e8dd9b65f72db6357c4091b8ac0ed2766aa056ee156ddb4c2437ee7c3

SHA512
68b18936501220d865c6170b4c76f75df34ffc9e0fdf458d104601ab7e426c2b468c61d90f471a0820c7dd8ce0ee3eeebce168bc3eb840e525ca0065cf9dda5c

Download Submit
C:\Users\Admin\AppData\Roaming\Opus.exe

Filesize
180.3MB

MD5
d8d0b96f855010d4fed1137b67bbb271

SHA1
03dad96b6ff82dab81739c27144295ac82b74573

SHA256
75f290af64988ea7e0e1d9289aa34f2a24084e6a275be544b9623040009753a8

SHA512
4a8e50f0b176f8949918434fedd0fe379d51e7fb26d3f4b78cdeeca6f5851635736c48d6b2bb2198d8b40cdce00a600a6af89ebb18850a04defd2851b5f8e485

Download Submit
memory/2552-146-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2552-149-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2552-153-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2552-150-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3848-143-0x0000000007450000-0x0000000007ACA000-memory.dmp

Filesize
6.5MB

Download
memory/3848-142-0x0000000005C00000-0x0000000005C1E000-memory.dmp

Filesize
120KB

Download
memory/3848-140-0x0000000004CC0000-0x0000000004D26000-memory.dmp

Filesize
408KB

Download
memory/3848-144-0x00000000060A0000-0x00000000060BA000-memory.dmp

Filesize
104KB

Download
memory/3848-141-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/3848-139-0x0000000004DB0000-0x00000000053D8000-memory.dmp

Filesize
6.2MB

Download
memory/3848-138-0x0000000004620000-0x0000000004656000-memory.dmp

Filesize
216KB

Download
memory/3968-135-0x0000000000F00000-0x0000000000F50000-memory.dmp

Filesize
320KB

Download
memory/3968-136-0x00000000076B0000-0x00000000076D2000-memory.dmp

Filesize
136KB

Download