icexloader | 0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2022 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.bin.exe
Size

348KB
MD5

96bdd68cfa84ba3d7390b4e172837370
SHA1

f3f5908c8138881e04db463a78172ca510073788
SHA256

0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9
SHA512

17775d7dbf6776620f59a0a2f4ea2753a4ddf39a9b05e7f2d28dae2e48a809c8aa30382d5fdddff70c76d948f6a1991a1585271e3b820576feb18825b178f4b0
SSDEEP

6144:cbslI7IBoZ1jMYORbxV9b+WvHfyVQhAyPl//2:cbvII1MtD+WffyVQhAyPl//2

Score

10^/10

icexloader loader persistence

Malware Config

Extracted

Family

icexloader

http://stealthelite.one/magnumopus/Script.php

Signatures

Detects IceXLoader v3.0 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022f58-137.dat	family_icexloader_v3
behavioral2/files/0x0007000000022f58-138.dat	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Executes dropped EXE 1 IoCs

pid	Process
4992	Opus.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Opus.exe	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.bin.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opus = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opus.exe\""	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.bin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Opus = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opus.exe\""	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.bin.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4676	timeout.exe
4596	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4468	powershell.exe
4468	powershell.exe
4396	powershell.exe
4396	powershell.exe
4020	powershell.exe
4020	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe
Token: SeRemoteShutdownPrivilege	4992	Opus.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 1236	4584	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.bin.exe	79
PID 4584 wrote to memory of 1236	4584	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.bin.exe	79
PID 4584 wrote to memory of 1236	4584	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.bin.exe	79
PID 4584 wrote to memory of 2052	4584	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.bin.exe	80
PID 4584 wrote to memory of 2052	4584	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.bin.exe	80
PID 4584 wrote to memory of 2052	4584	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.bin.exe	80
PID 1236 wrote to memory of 4596	1236	cmd.exe	84
PID 1236 wrote to memory of 4596	1236	cmd.exe	84
PID 1236 wrote to memory of 4596	1236	cmd.exe	84
PID 2052 wrote to memory of 4676	2052	cmd.exe	83
PID 2052 wrote to memory of 4676	2052	cmd.exe	83
PID 2052 wrote to memory of 4676	2052	cmd.exe	83
PID 1236 wrote to memory of 4992	1236	cmd.exe	85
PID 1236 wrote to memory of 4992	1236	cmd.exe	85
PID 1236 wrote to memory of 4992	1236	cmd.exe	85
PID 4992 wrote to memory of 4472	4992	Opus.exe	86
PID 4992 wrote to memory of 4472	4992	Opus.exe	86
PID 4992 wrote to memory of 4472	4992	Opus.exe	86
PID 4472 wrote to memory of 4468	4472	cmd.exe	88
PID 4472 wrote to memory of 4468	4472	cmd.exe	88
PID 4472 wrote to memory of 4468	4472	cmd.exe	88
PID 4472 wrote to memory of 4396	4472	cmd.exe	97
PID 4472 wrote to memory of 4396	4472	cmd.exe	97
PID 4472 wrote to memory of 4396	4472	cmd.exe	97
PID 4472 wrote to memory of 4020	4472	cmd.exe	98
PID 4472 wrote to memory of 4020	4472	cmd.exe	98
PID 4472 wrote to memory of 4020	4472	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.bin.exe
"C:\Users\Admin\AppData\Local\Temp\0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.bin.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c timeout 2 & "C:\Users\Admin\AppData\Roaming\Opus.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:4596
- - C:\Users\Admin\AppData\Roaming\Opus.exe
    "C:\Users\Admin\AppData\Roaming\Opus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\Opus\.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c timeout 1 & del /F "C:\Users\Admin\AppData\Local\Temp\0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.bin.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3349394e75c2c8e02ab5d8340e435c5f

SHA1
3bce7c0e3edc3a9bb1cecd2f66114dc07d2844ec

SHA256
d77cbe9a8918ccd4548a992ffb5c7be695a543bbb0b5021ca1dd546a603e566b

SHA512
6da978bfb1f57d30087fd4420778dada9277ea2362e7efa731713736f437aaeea820faf4c96416930c0619f75c2ae85681d4c5a029468c404b4e1ea4dc621862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
af92e11704e50164e763b8106cab0a12

SHA1
220b4672144d983c5c5969b83c86db1d00d9377d

SHA256
aa21592d2f11367d106d2ce5bb91b7f5c1e5fe41dfa4d0374f5925c91aa58c8d

SHA512
19f5c4b4be2cfdbb07a2577d92688d535d468514306336728450551a9c9bc6f0c4eccfb98cfa5401338b7813cb1240dd8e9d9f01dc3446d026ce94fc8d4f76dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
238B

MD5
fdb5554346e7388c6bc358c16c448995

SHA1
17957bbe381d434574e1fc15ed5c74084fda26fe

SHA256
898bc3e85e09e353a36612b5911aa2636c06a94443dbec4e62c6b8cf2412640c

SHA512
3eec1e0dab21861bcb73cbfe3ea7234768443dd02c62a55919ad7e693501ff886946d74a8f75b7f580fa5251472a13ff55d187396c8d65fe9c2220f2f6da0674

Download Submit
C:\Users\Admin\AppData\Roaming\Opus.exe

Filesize
348KB

MD5
96bdd68cfa84ba3d7390b4e172837370

SHA1
f3f5908c8138881e04db463a78172ca510073788

SHA256
0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9

SHA512
17775d7dbf6776620f59a0a2f4ea2753a4ddf39a9b05e7f2d28dae2e48a809c8aa30382d5fdddff70c76d948f6a1991a1585271e3b820576feb18825b178f4b0

Download Submit
C:\Users\Admin\AppData\Roaming\Opus.exe

Filesize
348KB

MD5
96bdd68cfa84ba3d7390b4e172837370

SHA1
f3f5908c8138881e04db463a78172ca510073788

SHA256
0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9

SHA512
17775d7dbf6776620f59a0a2f4ea2753a4ddf39a9b05e7f2d28dae2e48a809c8aa30382d5fdddff70c76d948f6a1991a1585271e3b820576feb18825b178f4b0

Download Submit
memory/4020-164-0x000000006FFF0000-0x000000007003C000-memory.dmp

Filesize
304KB

Download
memory/4396-161-0x000000006FFF0000-0x000000007003C000-memory.dmp

Filesize
304KB

Download
memory/4468-148-0x0000000006560000-0x0000000006592000-memory.dmp

Filesize
200KB

Download
memory/4468-155-0x0000000007570000-0x000000000757E000-memory.dmp

Filesize
56KB

Download
memory/4468-146-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/4468-147-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

Filesize
120KB

Download
memory/4468-144-0x0000000004FF0000-0x0000000005012000-memory.dmp

Filesize
136KB

Download
memory/4468-149-0x000000006FFF0000-0x000000007003C000-memory.dmp

Filesize
304KB

Download
memory/4468-150-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/4468-151-0x0000000007990000-0x000000000800A000-memory.dmp

Filesize
6.5MB

Download
memory/4468-152-0x0000000007340000-0x000000000735A000-memory.dmp

Filesize
104KB

Download
memory/4468-153-0x00000000073A0000-0x00000000073AA000-memory.dmp

Filesize
40KB

Download
memory/4468-154-0x00000000075D0000-0x0000000007666000-memory.dmp

Filesize
600KB

Download
memory/4468-145-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/4468-156-0x0000000007690000-0x00000000076AA000-memory.dmp

Filesize
104KB

Download
memory/4468-157-0x00000000075C0000-0x00000000075C8000-memory.dmp

Filesize
32KB

Download
memory/4468-143-0x0000000005140000-0x0000000005768000-memory.dmp

Filesize
6.2MB

Download
memory/4468-142-0x00000000049F0000-0x0000000004A26000-memory.dmp

Filesize
216KB

Download