Overview

overview

10

Static

static

1

Installer.exe

windows7-x64

3

Installer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-03-2023 21:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Installer.exe

  • Size

    5.0MB

  • MD5

    7c54b7057111165aed5885a25a662284

  • SHA1

    2427f02080a0f3040e82731f16d264b686b50d2a

  • SHA256

    28b0e4a555f41d4709a7d180f2b951491efa80d054cad46c887059ac79d75745

  • SHA512

    aa2e8228e1911fc1edbb264b925e01c750dff5a722d1dbe0144e40e497710e87591d9954cc04df8ee6aa92221f79411d3c7d39e1082cb5f0a6f710b4c67895dd

  • SSDEEP

    98304:N9/3GjyyERJicIqAviJXjlsjBKF7ZHSAZginBJzCV9NAi5o8fWw:NlGjyyERMjTvAXjlgK5ZHdZginrCrNAg

Score
10/10
icexloaderloaderpersistence

Malware Config

Extracted

Family

icexloader

C2

http://golden-cheats.com/icex/Script.php

Signatures

  • Detects IceXLoader v3.0 4 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • icexloader

    IceXLoader is a downloader used to deliver other malware families.

    loadericexloader
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:436
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      2⤵
        PID:2904
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout 45
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4536
        • C:\Windows\SysWOW64\timeout.exe
          timeout 45
          3⤵
          • Delays execution with timeout.exe
          PID:3792
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        2⤵
          PID:1840

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/436-133-0x0000000000890000-0x0000000000D98000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/436-134-0x00000000061E0000-0x00000000061F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/436-135-0x00000000061E0000-0x00000000061F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/436-136-0x00000000013F0000-0x0000000001456000-memory.dmp

        Filesize

        408KB

        Download

      • memory/436-137-0x0000000028450000-0x00000000284E2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/436-138-0x0000000028AA0000-0x0000000029044000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1840-140-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1840-142-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1840-144-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1840-145-0x0000000000400000-0x0000000000451000-memory.dmp

        Filesize

        324KB

        Download