icexloader | 2ce02f14a85c2642cf3ac002fea418a3f5320d0de0cc065f0b0f1bfdf339cb59

General

Target

2ce02f14a85c2642cf3ac002fea418a3f5320d0de0cc065f0b0f1bfdf339cb59.bin.exe
Size

348KB
MD5

d6b21df8cae11de41a09ddc530a42c19
SHA1

17bf628c1ac85079b96638aad0ea0e74efe7f1d7
SHA256

2ce02f14a85c2642cf3ac002fea418a3f5320d0de0cc065f0b0f1bfdf339cb59
SHA512

9f209f1fa036ca59dce5ae4c6a4ce1ebcaf9fa4c2e000089936ca6ea1f290b5f9653ac69f57b12d4cd0a35b1e15a874269b6ad303a1333769df77dd24bbbdcc3
SSDEEP

6144:XbslI7T8AzZV2MYORbAV9bQdnXgfyVQhAyPlb/2:XbvIkEMtiQdwfyVQhAyPlb/2

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICE X.exe	2ce02f14a85c2642cf3ac002fea418a3f5320d0de0cc065f0b0f1bfdf339cb59.bin.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	2ce02f14a85c2642cf3ac002fea418a3f5320d0de0cc065f0b0f1bfdf339cb59.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	2ce02f14a85c2642cf3ac002fea418a3f5320d0de0cc065f0b0f1bfdf339cb59.bin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2ce02f14a85c2642cf3ac002fea418a3f5320d0de0cc065f0b0f1bfdf339cb59.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	2ce02f14a85c2642cf3ac002fea418a3f5320d0de0cc065f0b0f1bfdf339cb59.bin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5040	powershell.exe
5040	powershell.exe
4880	powershell.exe
4880	powershell.exe
952	powershell.exe
952	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 5052	4388	2ce02f14a85c2642cf3ac002fea418a3f5320d0de0cc065f0b0f1bfdf339cb59.bin.exe	79
PID 4388 wrote to memory of 5052	4388	2ce02f14a85c2642cf3ac002fea418a3f5320d0de0cc065f0b0f1bfdf339cb59.bin.exe	79
PID 4388 wrote to memory of 5052	4388	2ce02f14a85c2642cf3ac002fea418a3f5320d0de0cc065f0b0f1bfdf339cb59.bin.exe	79
PID 5052 wrote to memory of 5040	5052	cmd.exe	81
PID 5052 wrote to memory of 5040	5052	cmd.exe	81
PID 5052 wrote to memory of 5040	5052	cmd.exe	81
PID 5052 wrote to memory of 4880	5052	cmd.exe	86
PID 5052 wrote to memory of 4880	5052	cmd.exe	86
PID 5052 wrote to memory of 4880	5052	cmd.exe	86
PID 5052 wrote to memory of 952	5052	cmd.exe	90
PID 5052 wrote to memory of 952	5052	cmd.exe	90
PID 5052 wrote to memory of 952	5052	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\2ce02f14a85c2642cf3ac002fea418a3f5320d0de0cc065f0b0f1bfdf339cb59.bin.exe
"C:\Users\Admin\AppData\Local\Temp\2ce02f14a85c2642cf3ac002fea418a3f5320d0de0cc065f0b0f1bfdf339cb59.bin.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5040
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\ICE X\.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
43ad656c200412b6e15c87197453f756

SHA1
fc144182361cd76d9c0e2853cac24337211857cd

SHA256
7086f53606da7e3175063d2333129260b53658e6ad4d556172ecda2ed3e15a8b

SHA512
1517d799b4e87e88e4f991111ccf769dc5333d8a51f02969206d6ccde25cb79770020155f704e6047e2d876b50f59b0f810972343f5b5995ea3b145c5b97bc8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
914797fb9bf4905387f5d4ceb162495c

SHA1
e7574674ef14d73ba43db922cef01cd1da6082b2

SHA256
5447e005ea7291c503a1ad8a26fa61702ddff06ec14401feb67bd3222e4856d2

SHA512
33265581160f9b4b4c455b51e71b1d0e2ba77f42c3711829eab7a8f2a23a951d78d60000eddbad989ca7294a957e2d92ae856d967b17de2b3f643a64e26fbe68

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
239B

MD5
f6e9a890d89cbc6684cc81fdba858cb4

SHA1
352924f71a6debb722a31af9d9a2c9bc157f6593

SHA256
7300f298f3baf29ec7dfcffb6ed84a14eea910dd323d845f9c343990b8754c51

SHA512
e0ddd4bdc29b355937be75ea90b1c8a0b4e9ce631364fcc35635a7f33b7e00a4a245402456cf17364a91a61cf1a551f2fb49d3f25133a4e488a5f379014264d9

Download Submit
memory/952-157-0x00000000702E0000-0x000000007032C000-memory.dmp

Filesize
304KB

Download
memory/4880-154-0x00000000702E0000-0x000000007032C000-memory.dmp

Filesize
304KB

Download
memory/5040-144-0x00000000077E0000-0x0000000007E5A000-memory.dmp

Filesize
6.5MB

Download
memory/5040-149-0x0000000007410000-0x000000000742A000-memory.dmp

Filesize
104KB

Download
memory/5040-142-0x00000000702E0000-0x000000007032C000-memory.dmp

Filesize
304KB

Download
memory/5040-143-0x00000000062C0000-0x00000000062DE000-memory.dmp

Filesize
120KB

Download
memory/5040-145-0x0000000006E30000-0x0000000006E4A000-memory.dmp

Filesize
104KB

Download
memory/5040-146-0x0000000006F10000-0x0000000006F1A000-memory.dmp

Filesize
40KB

Download
memory/5040-147-0x0000000007350000-0x00000000073E6000-memory.dmp

Filesize
600KB

Download
memory/5040-148-0x00000000072F0000-0x00000000072FE000-memory.dmp

Filesize
56KB

Download
memory/5040-141-0x00000000062E0000-0x0000000006312000-memory.dmp

Filesize
200KB

Download
memory/5040-150-0x0000000007340000-0x0000000007348000-memory.dmp

Filesize
32KB

Download
memory/5040-140-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

Filesize
120KB

Download
memory/5040-139-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/5040-138-0x0000000004E60000-0x0000000004EC6000-memory.dmp

Filesize
408KB

Download
memory/5040-137-0x0000000004D40000-0x0000000004D62000-memory.dmp

Filesize
136KB

Download
memory/5040-136-0x0000000004EF0000-0x0000000005518000-memory.dmp

Filesize
6.2MB

Download
memory/5040-135-0x0000000004770000-0x00000000047A6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing