icexloader | f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a

General

Target

f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Size

348KB
MD5

10bbabdde9fc09a120347f53cff6e024
SHA1

f4ae8ba0acb5a0e51f2098dc406690ac5697a66f
SHA256

f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a
SHA512

9d6bdc2aec727f5e1abcacd261984a365419e1b6909ab60c6864945ee6e5c803468e70d3883af47ba3155540154ad71ccad67fcdb5b81525a0c22a360c5a6567
SSDEEP

6144:8hf/YQ9FZtNMYORbGB9lBkQiYfyVQhAyPlI/2:8hB1bMtCBk2fyVQhAyPlI/2

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Drops startup file 1 IoCs

Processes:

f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chromedrivers.exe	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chromedrivers = "\"C:\\Users\\Admin\\AppData\\Roaming\\chromedrivers.exe\""	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chromedrivers = "\"C:\\Users\\Admin\\AppData\\Roaming\\chromedrivers.exe\""	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	Process
3132	powershell.exe
3132	powershell.exe
4408	powershell.exe
4408	powershell.exe
2892	powershell.exe
2892	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exef2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeRemoteShutdownPrivilege	3472	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Token: SeRemoteShutdownPrivilege	3472	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Token: SeRemoteShutdownPrivilege	3472	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Token: SeRemoteShutdownPrivilege	3472	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Token: SeRemoteShutdownPrivilege	3472	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Token: SeRemoteShutdownPrivilege	3472	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Token: SeRemoteShutdownPrivilege	3472	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Token: SeRemoteShutdownPrivilege	3472	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Token: SeRemoteShutdownPrivilege	3472	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Token: SeRemoteShutdownPrivilege	3472	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.execmd.exe

description	pid	Process	procid_target
PID 3472 wrote to memory of 628	3472	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe	78
PID 3472 wrote to memory of 628	3472	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe	78
PID 3472 wrote to memory of 628	3472	f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe	78
PID 628 wrote to memory of 3132	628	cmd.exe	80
PID 628 wrote to memory of 3132	628	cmd.exe	80
PID 628 wrote to memory of 3132	628	cmd.exe	80
PID 628 wrote to memory of 4408	628	cmd.exe	83
PID 628 wrote to memory of 4408	628	cmd.exe	83
PID 628 wrote to memory of 4408	628	cmd.exe	83
PID 628 wrote to memory of 2892	628	cmd.exe	84
PID 628 wrote to memory of 2892	628	cmd.exe	84
PID 628 wrote to memory of 2892	628	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe
"C:\Users\Admin\AppData\Local\Temp\f2900040b4ebfea4bc66d638e1986b8b5c4ca3ed5e135c23cc4b426f17db143a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\chromedrivers\.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f0224c333a0034a31f98134b0e491a43

SHA1
8a275c20430be098d746c90c302e4fc2cd910b00

SHA256
9a7f54728d165bf7c1bbbc86c68d5805a6f853d71610c0e1f5e13371ab6cdf02

SHA512
3a1debb3b531442792ca20d2df8314a5fde88e4a8dafab99fa524c906abc8bacbe09dca3259b231a862cc03085537c4738d83c37f07955e6c2c643bda0a1d213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
c9f5984e35bf8c14def27c5682f5dd90

SHA1
747d7db88613d7f67f2c3bdbb589c521d255b8c3

SHA256
2559081fec03de85258e7b0f43b71c1016e0279d9f987eb698ff96b2e2325047

SHA512
230997e1d569ab65382600d2f24d1e4b3586c2910f6cf7767dc9f85643134de45cfbdec27d4da4d56f8bd01349edf9f74ad5f282c16b14a242224c4897083673

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
247B

MD5
79a6b4499f67d1488b7befb59ba274f2

SHA1
a9df015afededb874fc81418e1d8abf7eec10005

SHA256
1626c0c87d89c6b080c51c4660b7b0ab43d9d9320c1cacd102fc27170180e94b

SHA512
d0d0005bbde0532db6764780690ab14c5f6d3fe873e8fa7bbeb44e970ea744170d4bae3c98535f8b828511617aec50ef2d4eef9f8f9597a136dbd596a1472db7

Download Submit
memory/628-132-0x0000000000000000-mapping.dmp

Download
memory/2892-155-0x0000000000000000-mapping.dmp

Download
memory/3132-144-0x00000000074B0000-0x0000000007B2A000-memory.dmp

Filesize
6.5MB

Download
memory/3132-148-0x00000000070A0000-0x00000000070AE000-memory.dmp

Filesize
56KB

Download
memory/3132-141-0x0000000006B30000-0x0000000006B62000-memory.dmp

Filesize
200KB

Download
memory/3132-142-0x0000000070470000-0x00000000704BC000-memory.dmp

Filesize
304KB

Download
memory/3132-143-0x00000000060F0000-0x000000000610E000-memory.dmp

Filesize
120KB

Download
memory/3132-139-0x0000000005550000-0x00000000055B6000-memory.dmp

Filesize
408KB

Download
memory/3132-145-0x0000000006E60000-0x0000000006E7A000-memory.dmp

Filesize
104KB

Download
memory/3132-146-0x0000000006EC0000-0x0000000006ECA000-memory.dmp

Filesize
40KB

Download
memory/3132-147-0x00000000070F0000-0x0000000007186000-memory.dmp

Filesize
600KB

Download
memory/3132-140-0x0000000005A50000-0x0000000005A6E000-memory.dmp

Filesize
120KB

Download
memory/3132-149-0x0000000007190000-0x00000000071AA000-memory.dmp

Filesize
104KB

Download
memory/3132-150-0x00000000070E0000-0x00000000070E8000-memory.dmp

Filesize
32KB

Download
memory/3132-134-0x0000000000000000-mapping.dmp

Download
memory/3132-138-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/3132-137-0x0000000004C90000-0x0000000004CB2000-memory.dmp

Filesize
136KB

Download
memory/3132-136-0x0000000004DD0000-0x00000000053F8000-memory.dmp

Filesize
6.2MB

Download
memory/3132-135-0x0000000002550000-0x0000000002586000-memory.dmp

Filesize
216KB

Download
memory/4408-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads