General

  • Target

    file.exe

  • Size

    603KB

  • Sample

    221024-w4ww2aaae7

  • MD5

    cb90f4dd9eb3424268b20a1581668acd

  • SHA1

    136a226e0f56c7bf53822ab116ea4304b8a636e6

  • SHA256

    49d6552ae5c5027ce1e68edee2438564b50ddc384276fd97360c92503771d3ac

  • SHA512

    43ef96a52dfe7018d7fd9315c428fb1b368e92357585f57bd405260d5e5d9f498e423d0a3d5de1ef300983f3f7b42bd7a2f2217ca5d74b88c4533021086c19a4

  • SSDEEP

    3072:QahKyd2n3165+HAsZsJBh6aH1wQwpSbr:QahOpqhvSn

Malware Config

Extracted

Family

icexloader

C2

http://stealthelite.one/magnumopus/Script.php

Targets

    • Target

      file.exe

    • Size

      603KB

    • MD5

      cb90f4dd9eb3424268b20a1581668acd

    • SHA1

      136a226e0f56c7bf53822ab116ea4304b8a636e6

    • SHA256

      49d6552ae5c5027ce1e68edee2438564b50ddc384276fd97360c92503771d3ac

    • SHA512

      43ef96a52dfe7018d7fd9315c428fb1b368e92357585f57bd405260d5e5d9f498e423d0a3d5de1ef300983f3f7b42bd7a2f2217ca5d74b88c4533021086c19a4

    • SSDEEP

      3072:QahKyd2n3165+HAsZsJBh6aH1wQwpSbr:QahOpqhvSn

    • Detects IceXLoader v3.0

    • icexloader

      IceXLoader is a downloader used to deliver other malware families.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks