Analysis
-
max time kernel
100s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-11-2022 01:08
Behavioral task
behavioral1
Sample
f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Resource
win10v2004-20220812-en
General
-
Target
f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
-
Size
348KB
-
MD5
10bbabdde9fc09a120347f53cff6e024
-
SHA1
f4ae8ba0acb5a0e51f2098dc406690ac5697a66f
-
SHA256
f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a
-
SHA512
9d6bdc2aec727f5e1abcacd261984a365419e1b6909ab60c6864945ee6e5c803468e70d3883af47ba3155540154ad71ccad67fcdb5b81525a0c22a360c5a6567
-
SSDEEP
6144:8hf/YQ9FZtNMYORbGB9lBkQiYfyVQhAyPlI/2:8hB1bMtCBk2fyVQhAyPlI/2
Malware Config
Signatures
-
icexloader
IceXLoader is a downloader used to deliver other malware families.
-
Drops startup file 1 IoCs
Processes:
f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chromedrivers.exe f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\chromedrivers = "\"C:\\Users\\Admin\\AppData\\Roaming\\chromedrivers.exe\"" f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\chromedrivers = "\"C:\\Users\\Admin\\AppData\\Roaming\\chromedrivers.exe\"" f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 1264 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 1264 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.execmd.exedescription pid Process procid_target PID 1204 wrote to memory of 1648 1204 f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe 27 PID 1204 wrote to memory of 1648 1204 f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe 27 PID 1204 wrote to memory of 1648 1204 f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe 27 PID 1204 wrote to memory of 1648 1204 f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe 27 PID 1648 wrote to memory of 1264 1648 cmd.exe 29 PID 1648 wrote to memory of 1264 1648 cmd.exe 29 PID 1648 wrote to memory of 1264 1648 cmd.exe 29 PID 1648 wrote to memory of 1264 1648 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe"C:\Users\Admin\AppData\Local\Temp\f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
247B
MD579a6b4499f67d1488b7befb59ba274f2
SHA1a9df015afededb874fc81418e1d8abf7eec10005
SHA2561626c0c87d89c6b080c51c4660b7b0ab43d9d9320c1cacd102fc27170180e94b
SHA512d0d0005bbde0532db6764780690ab14c5f6d3fe873e8fa7bbeb44e970ea744170d4bae3c98535f8b828511617aec50ef2d4eef9f8f9597a136dbd596a1472db7