Analysis
-
max time kernel
2706s -
max time network
2591s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2023, 16:52
Behavioral task
behavioral1
Sample
ICARCUS_Evil_Worm_Full-main.zip
Resource
win10v2004-20230915-en
General
-
Target
ICARCUS_Evil_Worm_Full-main.zip
-
Size
34.4MB
-
MD5
90fb1980ef2b425e55da9caf844effe5
-
SHA1
37353ee009fc9ed6986a7921101acc58b5bd4429
-
SHA256
bef9c74d9661d20a87f3ef487ca025be5cfd3abf8ec334ecb595f3d0cd660a27
-
SHA512
d344bd0e024989fc662d6add5f5aa03d8cdbff2aeaec542076a407c6582c4f50a63e600558edb8918a2b430e60338a69f566b3932030029b4747711d2b0a808e
-
SSDEEP
786432:Zj0DNnx2+SNYKlNdoubW3DORuv/w+S76yY8msglhChEvaMR/QJc9/b7VUMnCA24E:10DNnxVSiWADzOEHwpN6sglhC6AJclPu
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4164 3836 WerFault.exe 104 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3600 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3600 taskmgr.exe Token: SeSystemProfilePrivilege 3600 taskmgr.exe Token: SeCreateGlobalPrivilege 3600 taskmgr.exe Token: SeManageVolumePrivilege 3324 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe 3600 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3836 wrote to memory of 4332 3836 IcarusEvilWorm_iPwn.exe 106 PID 3836 wrote to memory of 4332 3836 IcarusEvilWorm_iPwn.exe 106 PID 3836 wrote to memory of 4332 3836 IcarusEvilWorm_iPwn.exe 106
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ICARCUS_Evil_Worm_Full-main.zip1⤵PID:4920
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:444
-
C:\Users\Admin\Desktop\ICARCUS_Evil_Worm_Full-main\IcarusEvilWorm_iPwn.exe"C:\Users\Admin\Desktop\ICARCUS_Evil_Worm_Full-main\IcarusEvilWorm_iPwn.exe"1⤵PID:3416
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3600
-
C:\Users\Admin\Desktop\ICARCUS_Evil_Worm_Full-main\IcarusEvilWorm_iPwn.exe"C:\Users\Admin\Desktop\ICARCUS_Evil_Worm_Full-main\IcarusEvilWorm_iPwn.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Users\Admin\Desktop\ICARCUS_Evil_Worm_Full-main\Plugins\Chat.dll:CheckIntegrity Self 42e3fda3c2ea2f16d7bc4c338860ac282⤵PID:4332
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 13122⤵
- Program crash
PID:4164
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3836 -ip 38361⤵PID:388
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2296
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5d1a542b72cf105da5ad3cf1e60379380
SHA165f5045bb5d27d885a47a23c53485373273979e6
SHA25684da9bec7d045f71ea99ddf684e0f41f239df6595885f7b16e0e8d7cb3e8c703
SHA51284774bc8ca5608bbb0a76615dca29180aa1aa432ba5728d072eba937949e5dd6243889b2877c3a3acb8e97916cb8df7ae93526a67701f216b19482072875ef59
-
Filesize
1KB
MD5d0813621cdc8f807e315d07581c28c48
SHA10ccbf04520bd7952a6b5c7291d5695a7de199a67
SHA2569f870027745f2e032cabfee0ff863a7d0f29f9d05146b12292100115325ac7ba
SHA5124d551caa6ff0dac2cdac8195046e7ecf90ae008c5b42e432d7e52c5a98f3370916a8d912607cbc49811b778093e8173a9032671a82f5f068d4f05184691cc426