icexloader | 0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
15-11-2022 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe
Size

348KB
MD5

96bdd68cfa84ba3d7390b4e172837370
SHA1

f3f5908c8138881e04db463a78172ca510073788
SHA256

0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9
SHA512

17775d7dbf6776620f59a0a2f4ea2753a4ddf39a9b05e7f2d28dae2e48a809c8aa30382d5fdddff70c76d948f6a1991a1585271e3b820576feb18825b178f4b0
SSDEEP

6144:cbslI7IBoZ1jMYORbxV9b+WvHfyVQhAyPl//2:cbvII1MtD+WffyVQhAyPl//2

Score

10^/10

icexloader loader persistence

Malware Config

Extracted

Family

icexloader

http://stealthelite.one/magnumopus/Script.php

Signatures

Detects IceXLoader v3.0 4 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000122ef-59.dat	family_icexloader_v3
behavioral1/files/0x000b0000000122ef-60.dat	family_icexloader_v3
behavioral1/files/0x000b0000000122ef-63.dat	family_icexloader_v3
behavioral1/files/0x000b0000000122ef-61.dat	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader

Executes dropped EXE 1 IoCs

pid	Process
380	Opus.exe

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Opus.exe	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe

Loads dropped DLL 2 IoCs

pid	Process
1536	cmd.exe
1536	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Opus = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opus.exe\""	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Opus = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opus.exe\""	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
560	timeout.exe
572	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1168	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 1536	1180	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe	28
PID 1180 wrote to memory of 1536	1180	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe	28
PID 1180 wrote to memory of 1536	1180	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe	28
PID 1180 wrote to memory of 1536	1180	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe	28
PID 1180 wrote to memory of 2040	1180	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe	29
PID 1180 wrote to memory of 2040	1180	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe	29
PID 1180 wrote to memory of 2040	1180	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe	29
PID 1180 wrote to memory of 2040	1180	0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe	29
PID 1536 wrote to memory of 560	1536	cmd.exe	32
PID 1536 wrote to memory of 560	1536	cmd.exe	32
PID 1536 wrote to memory of 560	1536	cmd.exe	32
PID 1536 wrote to memory of 560	1536	cmd.exe	32
PID 2040 wrote to memory of 572	2040	cmd.exe	33
PID 2040 wrote to memory of 572	2040	cmd.exe	33
PID 2040 wrote to memory of 572	2040	cmd.exe	33
PID 2040 wrote to memory of 572	2040	cmd.exe	33
PID 1536 wrote to memory of 380	1536	cmd.exe	34
PID 1536 wrote to memory of 380	1536	cmd.exe	34
PID 1536 wrote to memory of 380	1536	cmd.exe	34
PID 1536 wrote to memory of 380	1536	cmd.exe	34
PID 380 wrote to memory of 536	380	Opus.exe	35
PID 380 wrote to memory of 536	380	Opus.exe	35
PID 380 wrote to memory of 536	380	Opus.exe	35
PID 380 wrote to memory of 536	380	Opus.exe	35
PID 536 wrote to memory of 1168	536	cmd.exe	37
PID 536 wrote to memory of 1168	536	cmd.exe	37
PID 536 wrote to memory of 1168	536	cmd.exe	37
PID 536 wrote to memory of 1168	536	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe
"C:\Users\Admin\AppData\Local\Temp\0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c timeout 2 & "C:\Users\Admin\AppData\Roaming\Opus.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:560
- - C:\Users\Admin\AppData\Roaming\Opus.exe
    "C:\Users\Admin\AppData\Roaming\Opus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c timeout 1 & del /F "C:\Users\Admin\AppData\Local\Temp\0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
238B

MD5
fdb5554346e7388c6bc358c16c448995

SHA1
17957bbe381d434574e1fc15ed5c74084fda26fe

SHA256
898bc3e85e09e353a36612b5911aa2636c06a94443dbec4e62c6b8cf2412640c

SHA512
3eec1e0dab21861bcb73cbfe3ea7234768443dd02c62a55919ad7e693501ff886946d74a8f75b7f580fa5251472a13ff55d187396c8d65fe9c2220f2f6da0674

Download Submit
C:\Users\Admin\AppData\Roaming\Opus.exe

Filesize
348KB

MD5
96bdd68cfa84ba3d7390b4e172837370

SHA1
f3f5908c8138881e04db463a78172ca510073788

SHA256
0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9

SHA512
17775d7dbf6776620f59a0a2f4ea2753a4ddf39a9b05e7f2d28dae2e48a809c8aa30382d5fdddff70c76d948f6a1991a1585271e3b820576feb18825b178f4b0

Download Submit
C:\Users\Admin\AppData\Roaming\Opus.exe

Filesize
348KB

MD5
96bdd68cfa84ba3d7390b4e172837370

SHA1
f3f5908c8138881e04db463a78172ca510073788

SHA256
0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9

SHA512
17775d7dbf6776620f59a0a2f4ea2753a4ddf39a9b05e7f2d28dae2e48a809c8aa30382d5fdddff70c76d948f6a1991a1585271e3b820576feb18825b178f4b0

Download Submit
\Users\Admin\AppData\Roaming\Opus.exe

Filesize
348KB

MD5
96bdd68cfa84ba3d7390b4e172837370

SHA1
f3f5908c8138881e04db463a78172ca510073788

SHA256
0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9

SHA512
17775d7dbf6776620f59a0a2f4ea2753a4ddf39a9b05e7f2d28dae2e48a809c8aa30382d5fdddff70c76d948f6a1991a1585271e3b820576feb18825b178f4b0

Download Submit
\Users\Admin\AppData\Roaming\Opus.exe

Filesize
348KB

MD5
96bdd68cfa84ba3d7390b4e172837370

SHA1
f3f5908c8138881e04db463a78172ca510073788

SHA256
0911819d0e050ddc5884ea40b4b39a716a7ef8de0179d0dfded9f043546cede9

SHA512
17775d7dbf6776620f59a0a2f4ea2753a4ddf39a9b05e7f2d28dae2e48a809c8aa30382d5fdddff70c76d948f6a1991a1585271e3b820576feb18825b178f4b0

Download Submit
memory/1168-69-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-70-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1180-54-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download