icexloader | f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a

General

Target

f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe
Size

348KB
MD5

10bbabdde9fc09a120347f53cff6e024
SHA1

f4ae8ba0acb5a0e51f2098dc406690ac5697a66f
SHA256

f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a
SHA512

9d6bdc2aec727f5e1abcacd261984a365419e1b6909ab60c6864945ee6e5c803468e70d3883af47ba3155540154ad71ccad67fcdb5b81525a0c22a360c5a6567
SSDEEP

6144:8hf/YQ9FZtNMYORbGB9lBkQiYfyVQhAyPlI/2:8hB1bMtCBk2fyVQhAyPlI/2

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chromedrivers.exe	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chromedrivers = "\"C:\\Users\\Admin\\AppData\\Roaming\\chromedrivers.exe\""	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chromedrivers = "\"C:\\Users\\Admin\\AppData\\Roaming\\chromedrivers.exe\""	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4744	powershell.exe
4744	powershell.exe
2084	powershell.exe
2084	powershell.exe
3800	powershell.exe
3800	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeRemoteShutdownPrivilege	4132	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe
Token: SeRemoteShutdownPrivilege	4132	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe
Token: SeRemoteShutdownPrivilege	4132	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe
Token: SeRemoteShutdownPrivilege	4132	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe
Token: SeRemoteShutdownPrivilege	4132	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeRemoteShutdownPrivilege	4132	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe
Token: SeRemoteShutdownPrivilege	4132	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe
Token: SeRemoteShutdownPrivilege	4132	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe
Token: SeRemoteShutdownPrivilege	4132	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe
Token: SeRemoteShutdownPrivilege	4132	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe
Token: SeDebugPrivilege	3800	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 3204	4132	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe	81
PID 4132 wrote to memory of 3204	4132	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe	81
PID 4132 wrote to memory of 3204	4132	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe	81
PID 3204 wrote to memory of 4744	3204	cmd.exe	83
PID 3204 wrote to memory of 4744	3204	cmd.exe	83
PID 3204 wrote to memory of 4744	3204	cmd.exe	83
PID 3204 wrote to memory of 2084	3204	cmd.exe	84
PID 3204 wrote to memory of 2084	3204	cmd.exe	84
PID 3204 wrote to memory of 2084	3204	cmd.exe	84
PID 3204 wrote to memory of 3800	3204	cmd.exe	85
PID 3204 wrote to memory of 3800	3204	cmd.exe	85
PID 3204 wrote to memory of 3800	3204	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe
"C:\Users\Admin\AppData\Local\Temp\f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.bin.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4744
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\chromedrivers\.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
86c1a989142ebd5e766ffabfe4780679

SHA1
98d1f137875f0325bd9a1f48292a0d44d49de358

SHA256
00c871850819e291464a8a806aca7f1fd0293c43ac5d2dab25d313f0c0600298

SHA512
ef6734904ab21f194737f2981233e7f235a5fa4534e6c5534e28be09a557598a2d4cc24434be00292a6d4ee70f227c3accb74ba864664cfd4f3c29af681d9471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e4b16677f7e3e6e60551464bc062d19e

SHA1
940ba032912112e3b9895b18cec7a23d6a7340ec

SHA256
ced2b22160f0a3dcc3892a157e980b7a0e1e6204eea12891f94c796e0a16fbf5

SHA512
60297b03c6bb73f831d657a127f0f484fc2b0c23f0f13b34a07aacbb54f5944708c735211d8958f2b58f4c96c964e0db2d20ffb39bed8dd824dc59964b4d8b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
247B

MD5
79a6b4499f67d1488b7befb59ba274f2

SHA1
a9df015afededb874fc81418e1d8abf7eec10005

SHA256
1626c0c87d89c6b080c51c4660b7b0ab43d9d9320c1cacd102fc27170180e94b

SHA512
d0d0005bbde0532db6764780690ab14c5f6d3fe873e8fa7bbeb44e970ea744170d4bae3c98535f8b828511617aec50ef2d4eef9f8f9597a136dbd596a1472db7

Download Submit
memory/2084-154-0x00000000709D0000-0x0000000070A1C000-memory.dmp

Filesize
304KB

Download
memory/3800-157-0x00000000709D0000-0x0000000070A1C000-memory.dmp

Filesize
304KB

Download
memory/4744-144-0x0000000007840000-0x0000000007EBA000-memory.dmp

Filesize
6.5MB

Download
memory/4744-150-0x0000000007480000-0x0000000007488000-memory.dmp

Filesize
32KB

Download
memory/4744-143-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/4744-141-0x00000000064C0000-0x00000000064F2000-memory.dmp

Filesize
200KB

Download
memory/4744-145-0x0000000007200000-0x000000000721A000-memory.dmp

Filesize
104KB

Download
memory/4744-146-0x0000000007260000-0x000000000726A000-memory.dmp

Filesize
40KB

Download
memory/4744-147-0x0000000007490000-0x0000000007526000-memory.dmp

Filesize
600KB

Download
memory/4744-148-0x0000000007440000-0x000000000744E000-memory.dmp

Filesize
56KB

Download
memory/4744-149-0x0000000007530000-0x000000000754A000-memory.dmp

Filesize
104KB

Download
memory/4744-142-0x00000000709D0000-0x0000000070A1C000-memory.dmp

Filesize
304KB

Download
memory/4744-140-0x0000000005EF0000-0x0000000005F0E000-memory.dmp

Filesize
120KB

Download
memory/4744-139-0x0000000005800000-0x0000000005866000-memory.dmp

Filesize
408KB

Download
memory/4744-138-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/4744-137-0x0000000005040000-0x0000000005062000-memory.dmp

Filesize
136KB

Download
memory/4744-136-0x00000000050F0000-0x0000000005718000-memory.dmp

Filesize
6.2MB

Download
memory/4744-135-0x0000000002940000-0x0000000002976000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing