icexloader | 0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2022 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
Size

388KB
MD5

dc3da04d1159f3db53d4e205d214edb2
SHA1

169892fe651e572a0a50708dfd06201d42f57662
SHA256

0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c
SHA512

fcb2a1b54493f8935d9b71e28209f6c48bfe375acfbb7664cf1ff6e39595e8b1dfed6173d440b2749a44bbb490a848ca52daaad1145ec0a63a9965b11ec29d5d
SSDEEP

6144:k9rI7T8AzZV2MYORbAV9bQdnXgfyVQhAyPlb/F+bs7:LIkEMtiQdwfyVQhAyPlb/wby

Score

10^/10

icexloader neshta loader persistence spyware stealer

Malware Config

Extracted

Family

icexloader

http://iceten.top/icex/Script.php

Signatures

Detects IceXLoader v3.0 4 IoCs

resource	yara_rule
behavioral2/files/0x000300000000072d-133.dat	family_icexloader_v3
behavioral2/files/0x000300000000072d-134.dat	family_icexloader_v3
behavioral2/files/0x0003000000000731-150.dat	family_icexloader_v3
behavioral2/files/0x0003000000000733-151.dat	family_icexloader_v3

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Executes dropped EXE 1 IoCs

pid	Process
1324	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICE X.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\""	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI391D~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~2.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MIA062~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~3.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13167~1.21\MICROS~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3796	powershell.exe
3796	powershell.exe
4748	powershell.exe
4748	powershell.exe
4448	powershell.exe
4448	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1324	2404	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe	84
PID 2404 wrote to memory of 1324	2404	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe	84
PID 2404 wrote to memory of 1324	2404	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe	84
PID 1324 wrote to memory of 4316	1324	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe	85
PID 1324 wrote to memory of 4316	1324	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe	85
PID 1324 wrote to memory of 4316	1324	0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe	85
PID 4316 wrote to memory of 3796	4316	cmd.exe	87
PID 4316 wrote to memory of 3796	4316	cmd.exe	87
PID 4316 wrote to memory of 3796	4316	cmd.exe	87
PID 4316 wrote to memory of 4748	4316	cmd.exe	88
PID 4316 wrote to memory of 4748	4316	cmd.exe	88
PID 4316 wrote to memory of 4748	4316	cmd.exe	88
PID 4316 wrote to memory of 4448	4316	cmd.exe	89
PID 4316 wrote to memory of 4448	4316	cmd.exe	89
PID 4316 wrote to memory of 4448	4316	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
"C:\Users\Admin\AppData\Local\Temp\0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\3582-490\0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3796
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\ICE X\.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9d75ac1b77762b4d68226255a197216a

SHA1
316b75b7dfb5b3488261f11c5a093e0e899aa16f

SHA256
648693c2f187317f0db06506efde899856cab5a107097c9883ff724c389fa5b3

SHA512
ad62ab5626d0c6c751b0718f98b86f528ae08ab40b773cf45dfa8a1336a7f25990f8db8d22fd0e08446602ddb2f163f3e57a221ace7b0ddd5728305bf76a10df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6e4a6aa248ebce52920c6b51988d3ee3

SHA1
006671a0a7866b8042ef79385a458bf9b9171f25

SHA256
90076d20964212b0a93a8203b8e7259bad1f18baffd14ffb46186d423a86bc4b

SHA512
b6d654cadc184b23cc41004fab9d4a6924784802a41e178e12391fa78f89061f940f4684422dc6671b181f75a0ad3c2f19cf7ce8f70c874bbcce83635396c664

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe

Filesize
348KB

MD5
d6b21df8cae11de41a09ddc530a42c19

SHA1
17bf628c1ac85079b96638aad0ea0e74efe7f1d7

SHA256
2ce02f14a85c2642cf3ac002fea418a3f5320d0de0cc065f0b0f1bfdf339cb59

SHA512
9f209f1fa036ca59dce5ae4c6a4ce1ebcaf9fa4c2e000089936ca6ea1f290b5f9653ac69f57b12d4cd0a35b1e15a874269b6ad303a1333769df77dd24bbbdcc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\0feba92ff632640e738c770d3eb69ee1e287a54fb86c50bbcd2d0a9114b8539c.bin.exe

Filesize
348KB

MD5
d6b21df8cae11de41a09ddc530a42c19

SHA1
17bf628c1ac85079b96638aad0ea0e74efe7f1d7

SHA256
2ce02f14a85c2642cf3ac002fea418a3f5320d0de0cc065f0b0f1bfdf339cb59

SHA512
9f209f1fa036ca59dce5ae4c6a4ce1ebcaf9fa4c2e000089936ca6ea1f290b5f9653ac69f57b12d4cd0a35b1e15a874269b6ad303a1333769df77dd24bbbdcc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
239B

MD5
f6e9a890d89cbc6684cc81fdba858cb4

SHA1
352924f71a6debb722a31af9d9a2c9bc157f6593

SHA256
7300f298f3baf29ec7dfcffb6ed84a14eea910dd323d845f9c343990b8754c51

SHA512
e0ddd4bdc29b355937be75ea90b1c8a0b4e9ce631364fcc35635a7f33b7e00a4a245402456cf17364a91a61cf1a551f2fb49d3f25133a4e488a5f379014264d9

Download Submit
C:\Users\Admin\AppData\Roaming\ICEX~1.EXE

Filesize
388KB

MD5
e60852ef5a13852ce17c7c47c4a14552

SHA1
c6c5b8ea2374a3e8a3c58c34e0785fd229b52bec

SHA256
0e59ce4adb6597fc157bf7c16d21b4d95c60e49ac72bd8d12d0e42ce3ff63b3c

SHA512
4fe77b55e9b444dfdef6e501fb61ff5b662f60035020cc5d37d72426abf26d7a9e5e5c2dea7abdff550bb5ccad1e36c451da56e475cc250fbcec6243a78d32b9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ICEX~1.EXE

Filesize
388KB

MD5
e60852ef5a13852ce17c7c47c4a14552

SHA1
c6c5b8ea2374a3e8a3c58c34e0785fd229b52bec

SHA256
0e59ce4adb6597fc157bf7c16d21b4d95c60e49ac72bd8d12d0e42ce3ff63b3c

SHA512
4fe77b55e9b444dfdef6e501fb61ff5b662f60035020cc5d37d72426abf26d7a9e5e5c2dea7abdff550bb5ccad1e36c451da56e475cc250fbcec6243a78d32b9

Download Submit
memory/3796-146-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/3796-152-0x0000000007570000-0x0000000007606000-memory.dmp

Filesize
600KB

Download
memory/3796-143-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

Filesize
120KB

Download
memory/3796-144-0x00000000065B0000-0x00000000065E2000-memory.dmp

Filesize
200KB

Download
memory/3796-145-0x0000000070840000-0x000000007088C000-memory.dmp

Filesize
304KB

Download
memory/3796-141-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/3796-147-0x0000000007920000-0x0000000007F9A000-memory.dmp

Filesize
6.5MB

Download
memory/3796-148-0x00000000072E0000-0x00000000072FA000-memory.dmp

Filesize
104KB

Download
memory/3796-149-0x0000000004D30000-0x0000000004D3A000-memory.dmp

Filesize
40KB

Download
memory/3796-140-0x0000000005010000-0x0000000005032000-memory.dmp

Filesize
136KB

Download
memory/3796-139-0x0000000005180000-0x00000000057A8000-memory.dmp

Filesize
6.2MB

Download
memory/3796-142-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/3796-153-0x0000000007530000-0x000000000753E000-memory.dmp

Filesize
56KB

Download
memory/3796-154-0x0000000007630000-0x000000000764A000-memory.dmp

Filesize
104KB

Download
memory/3796-155-0x0000000007610000-0x0000000007618000-memory.dmp

Filesize
32KB

Download
memory/3796-138-0x0000000004A10000-0x0000000004A46000-memory.dmp

Filesize
216KB

Download
memory/4448-162-0x0000000070840000-0x000000007088C000-memory.dmp

Filesize
304KB

Download
memory/4748-159-0x0000000070840000-0x000000007088C000-memory.dmp

Filesize
304KB

Download