Analysis
-
max time kernel
299s -
max time network
333s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
22-11-2022 11:45
Behavioral task
behavioral1
Sample
79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exe
Resource
win10v2004-20221111-en
General
-
Target
79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exe
-
Size
348KB
-
MD5
6210be523c5fab6a205772fc1a6abfb4
-
SHA1
b9ad3b37702aa0187592fb39b26148d8b320b6ca
-
SHA256
79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448
-
SHA512
a98fb903c1d9f2d23a9a7a67e8bc7f27228f054105ac43413e6887ff8c0de29968b5d71218a116f7f73a814a8be4bc50b4c78c4e913c5da1b1083c51c80fbdab
-
SSDEEP
6144:ZbslI7b8btZ1WMYORbMV9bwkn8gfyVQhAyPlb/2:ZbvwnEMtWwk3fyVQhAyPlb/2
Malware Config
Signatures
-
icexloader
IceXLoader is a downloader used to deliver other malware families.
-
Drops startup file 1 IoCs
Processes:
79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ICE X.exe 79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run 79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\"" 79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICE X = "\"C:\\Users\\Admin\\AppData\\Roaming\\ICE X.exe\"" 79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 756 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 756 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.execmd.exedescription pid Process procid_target PID 1644 wrote to memory of 1964 1644 79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exe 28 PID 1644 wrote to memory of 1964 1644 79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exe 28 PID 1644 wrote to memory of 1964 1644 79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exe 28 PID 1644 wrote to memory of 1964 1644 79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exe 28 PID 1964 wrote to memory of 756 1964 cmd.exe 30 PID 1964 wrote to memory of 756 1964 cmd.exe 30 PID 1964 wrote to memory of 756 1964 cmd.exe 30 PID 1964 wrote to memory of 756 1964 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exe"C:\Users\Admin\AppData\Local\Temp\79915a1352da45f69fbd193f7bd28bba64949dfe6c2baf8090151e676aad2448.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239B
MD5f6e9a890d89cbc6684cc81fdba858cb4
SHA1352924f71a6debb722a31af9d9a2c9bc157f6593
SHA2567300f298f3baf29ec7dfcffb6ed84a14eea910dd323d845f9c343990b8754c51
SHA512e0ddd4bdc29b355937be75ea90b1c8a0b4e9ce631364fcc35635a7f33b7e00a4a245402456cf17364a91a61cf1a551f2fb49d3f25133a4e488a5f379014264d9