Analysis Overview
SHA256
bef9c74d9661d20a87f3ef487ca025be5cfd3abf8ec334ecb595f3d0cd660a27
Threat Level: Known bad
The file ICARCUS_Evil_Worm_Full-main.zip was found to be: Known bad.
Malicious Activity Summary
Contains code to disable Windows Defender
Nirsoft
Obfuscated with Agile.Net obfuscator
Unsigned PE
Program crash
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-16 16:52
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-16 16:52
Reported
2023-10-16 17:54
Platform
win10v2004-20230915-en
Max time kernel
2706s
Max time network
2591s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\ICARCUS_Evil_Worm_Full-main\IcarusEvilWorm_iPwn.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3836 wrote to memory of 4332 | N/A | C:\Users\Admin\Desktop\ICARCUS_Evil_Worm_Full-main\IcarusEvilWorm_iPwn.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3836 wrote to memory of 4332 | N/A | C:\Users\Admin\Desktop\ICARCUS_Evil_Worm_Full-main\IcarusEvilWorm_iPwn.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3836 wrote to memory of 4332 | N/A | C:\Users\Admin\Desktop\ICARCUS_Evil_Worm_Full-main\IcarusEvilWorm_iPwn.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ICARCUS_Evil_Worm_Full-main.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\ICARCUS_Evil_Worm_Full-main\IcarusEvilWorm_iPwn.exe
"C:\Users\Admin\Desktop\ICARCUS_Evil_Worm_Full-main\IcarusEvilWorm_iPwn.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\Desktop\ICARCUS_Evil_Worm_Full-main\IcarusEvilWorm_iPwn.exe
"C:\Users\Admin\Desktop\ICARCUS_Evil_Worm_Full-main\IcarusEvilWorm_iPwn.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Admin\Desktop\ICARCUS_Evil_Worm_Full-main\Plugins\Chat.dll:CheckIntegrity Self 42e3fda3c2ea2f16d7bc4c338860ac28
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 1312
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.52.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.111.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.109.26.67.in-addr.arpa | udp |
Files
memory/3416-0-0x0000000074780000-0x0000000074F30000-memory.dmp
memory/3416-1-0x0000000000900000-0x0000000000EB2000-memory.dmp
memory/3416-2-0x00000000082F0000-0x0000000008894000-memory.dmp
memory/3416-3-0x0000000007D40000-0x0000000007DD2000-memory.dmp
memory/3416-4-0x0000000074780000-0x0000000074F30000-memory.dmp
memory/3600-6-0x0000025A86760000-0x0000025A86761000-memory.dmp
memory/3600-5-0x0000025A86760000-0x0000025A86761000-memory.dmp
memory/3600-7-0x0000025A86760000-0x0000025A86761000-memory.dmp
memory/3600-11-0x0000025A86760000-0x0000025A86761000-memory.dmp
memory/3600-12-0x0000025A86760000-0x0000025A86761000-memory.dmp
memory/3600-13-0x0000025A86760000-0x0000025A86761000-memory.dmp
memory/3600-14-0x0000025A86760000-0x0000025A86761000-memory.dmp
memory/3600-16-0x0000025A86760000-0x0000025A86761000-memory.dmp
memory/3600-15-0x0000025A86760000-0x0000025A86761000-memory.dmp
memory/3600-17-0x0000025A86760000-0x0000025A86761000-memory.dmp
memory/3416-18-0x0000000007EF0000-0x0000000007F00000-memory.dmp
memory/3416-19-0x0000000007EF0000-0x0000000007F00000-memory.dmp
memory/3416-22-0x0000000074780000-0x0000000074F30000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IcarusEvilWorm_iPwn.exe.log
| MD5 | d0813621cdc8f807e315d07581c28c48 |
| SHA1 | 0ccbf04520bd7952a6b5c7291d5695a7de199a67 |
| SHA256 | 9f870027745f2e032cabfee0ff863a7d0f29f9d05146b12292100115325ac7ba |
| SHA512 | 4d551caa6ff0dac2cdac8195046e7ecf90ae008c5b42e432d7e52c5a98f3370916a8d912607cbc49811b778093e8173a9032671a82f5f068d4f05184691cc426 |
memory/3836-24-0x0000000074820000-0x0000000074FD0000-memory.dmp
memory/3836-25-0x0000000007350000-0x0000000007360000-memory.dmp
memory/3836-26-0x0000000009EA0000-0x0000000009EAA000-memory.dmp
memory/3836-27-0x0000000074820000-0x0000000074FD0000-memory.dmp
memory/3836-28-0x0000000007350000-0x0000000007360000-memory.dmp
memory/3836-29-0x0000000074820000-0x0000000074FD0000-memory.dmp
memory/3324-30-0x000001A66DE40000-0x000001A66DE50000-memory.dmp
memory/3324-46-0x000001A66DF40000-0x000001A66DF50000-memory.dmp
memory/3324-62-0x000001A676530000-0x000001A676531000-memory.dmp
memory/3324-63-0x000001A676560000-0x000001A676561000-memory.dmp
memory/3324-64-0x000001A676560000-0x000001A676561000-memory.dmp
memory/3324-65-0x000001A676560000-0x000001A676561000-memory.dmp
memory/3324-66-0x000001A676560000-0x000001A676561000-memory.dmp
memory/3324-67-0x000001A676560000-0x000001A676561000-memory.dmp
memory/3324-68-0x000001A676560000-0x000001A676561000-memory.dmp
memory/3324-69-0x000001A676560000-0x000001A676561000-memory.dmp
memory/3324-70-0x000001A676560000-0x000001A676561000-memory.dmp
memory/3324-71-0x000001A676560000-0x000001A676561000-memory.dmp
memory/3324-72-0x000001A676560000-0x000001A676561000-memory.dmp
memory/3324-73-0x000001A676180000-0x000001A676181000-memory.dmp
memory/3324-74-0x000001A676170000-0x000001A676171000-memory.dmp
memory/3324-76-0x000001A676180000-0x000001A676181000-memory.dmp
memory/3324-79-0x000001A676170000-0x000001A676171000-memory.dmp
memory/3324-82-0x000001A6760B0000-0x000001A6760B1000-memory.dmp
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
| MD5 | d1a542b72cf105da5ad3cf1e60379380 |
| SHA1 | 65f5045bb5d27d885a47a23c53485373273979e6 |
| SHA256 | 84da9bec7d045f71ea99ddf684e0f41f239df6595885f7b16e0e8d7cb3e8c703 |
| SHA512 | 84774bc8ca5608bbb0a76615dca29180aa1aa432ba5728d072eba937949e5dd6243889b2877c3a3acb8e97916cb8df7ae93526a67701f216b19482072875ef59 |
memory/3324-94-0x000001A6762B0000-0x000001A6762B1000-memory.dmp
memory/3324-96-0x000001A6762C0000-0x000001A6762C1000-memory.dmp
memory/3324-97-0x000001A6762C0000-0x000001A6762C1000-memory.dmp
memory/3324-98-0x000001A6763D0000-0x000001A6763D1000-memory.dmp