icexloader | f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a

Analysis

max time kernel
100s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10-11-2022 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Size

348KB
MD5

10bbabdde9fc09a120347f53cff6e024
SHA1

f4ae8ba0acb5a0e51f2098dc406690ac5697a66f
SHA256

f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a
SHA512

9d6bdc2aec727f5e1abcacd261984a365419e1b6909ab60c6864945ee6e5c803468e70d3883af47ba3155540154ad71ccad67fcdb5b81525a0c22a360c5a6567
SSDEEP

6144:8hf/YQ9FZtNMYORbGB9lBkQiYfyVQhAyPlI/2:8hB1bMtCBk2fyVQhAyPlI/2

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Drops startup file 1 IoCs

Processes:

f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chromedrivers.exe	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\chromedrivers = "\"C:\\Users\\Admin\\AppData\\Roaming\\chromedrivers.exe\""	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\chromedrivers = "\"C:\\Users\\Admin\\AppData\\Roaming\\chromedrivers.exe\""	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1264 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1264 powershell.exe

pid	process
1264	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1264	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.execmd.exe

description	pid	process	target process
PID 1204 wrote to memory of 1648	1204	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe	cmd.exe
PID 1204 wrote to memory of 1648	1204	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe	cmd.exe
PID 1204 wrote to memory of 1648	1204	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe	cmd.exe
PID 1204 wrote to memory of 1648	1204	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe	cmd.exe
PID 1648 wrote to memory of 1264	1648	cmd.exe	powershell.exe
PID 1648 wrote to memory of 1264	1648	cmd.exe	powershell.exe
PID 1648 wrote to memory of 1264	1648	cmd.exe	powershell.exe
PID 1648 wrote to memory of 1264	1648	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
"C:\Users\Admin\AppData\Local\Temp\f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file.bat
Filesize
247B

MD5
79a6b4499f67d1488b7befb59ba274f2

SHA1
a9df015afededb874fc81418e1d8abf7eec10005

SHA256
1626c0c87d89c6b080c51c4660b7b0ab43d9d9320c1cacd102fc27170180e94b

SHA512
d0d0005bbde0532db6764780690ab14c5f6d3fe873e8fa7bbeb44e970ea744170d4bae3c98535f8b828511617aec50ef2d4eef9f8f9597a136dbd596a1472db7

Download Submit
memory/1204-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/1264-57-0x0000000000000000-mapping.dmp

Download
memory/1264-59-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/1264-60-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/1648-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads