Analysis
-
max time kernel
101s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
06-12-2022 06:29
General
-
Target
wild_will.msi
-
Size
720KB
-
MD5
12fef89480f3c38d0949f7fd9458856d
-
SHA1
8ed8d7bf9c6ffc2934e5c9773692ded50f87ceec
-
SHA256
2bd43175f33d5e03ae53c00541a357c3578a158f56d8b20b9099a45ccebc801a
-
SHA512
0b4e9035905c9da6e7b0d8e0eeda3f6e7b8522135aec15eea14b85bb0966b5058f3443aa054983f00918b29fd3e699efca3a49030ee195c7b3f09d6c667e2a2f
-
SSDEEP
12288:pwHL0D7vkCPumy9chfA+t78B0igC+/NHB01SlF1:2HL0f/zyt+x8BtZKB6SD
Malware Config
Extracted
icedid
787509923
kamintrewftor.com
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Blocklisted process makes network request 1 IoCs
-
Loads dropped DLL 6 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 15 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wild_will.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 5E3320C2816356A824294E15C9FCDEB22⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI91C5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7181038 1 test.cs!Test.CustomActions.MyAction3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpA140.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B0" "000000000000031C"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA140.dllFilesize
269KB
MD5c9c9eceda71bf20d0004e8b7c6396d0f
SHA11f72cabb64e1d9f02617d38ac00628304b4b6186
SHA256637cd9ccf15d57a50847fe566265575bc06e146e45673a0f47b96f9c12d212ac
SHA512117ea65a2eef8b9a3a5d3e0f9d62c77d58df12d3bd8e6a7090c034536e8969b5b05b1a58b7e0b4a5444ffb585c3facf7d001c434a9c34db81d6c9dfc452e3870
-
C:\Windows\Installer\MSI91C5.tmpFilesize
413KB
MD5cb3d847e4014f2681f11aa55d2eafb37
SHA127cf8bade4e787c4a3f51c9fd36f8c9f04c0b85e
SHA256f9d0d10de2d66ff63916772e8d2b757f1502c823a3c39202709ffbb9a4725b70
SHA512dc6b8167363a7f3cac3c37bd4db8b5d0e3ec4c97723874dd5073adf2de3c03665129ba7623aee7ec1d20beef54eba85d303f2cedecb86878b77ebe7ab18fbed0
-
\Users\Admin\AppData\Local\Temp\tmpA140.dllFilesize
269KB
MD5c9c9eceda71bf20d0004e8b7c6396d0f
SHA11f72cabb64e1d9f02617d38ac00628304b4b6186
SHA256637cd9ccf15d57a50847fe566265575bc06e146e45673a0f47b96f9c12d212ac
SHA512117ea65a2eef8b9a3a5d3e0f9d62c77d58df12d3bd8e6a7090c034536e8969b5b05b1a58b7e0b4a5444ffb585c3facf7d001c434a9c34db81d6c9dfc452e3870
-
\Users\Admin\AppData\Local\Temp\tmpA140.dllFilesize
269KB
MD5c9c9eceda71bf20d0004e8b7c6396d0f
SHA11f72cabb64e1d9f02617d38ac00628304b4b6186
SHA256637cd9ccf15d57a50847fe566265575bc06e146e45673a0f47b96f9c12d212ac
SHA512117ea65a2eef8b9a3a5d3e0f9d62c77d58df12d3bd8e6a7090c034536e8969b5b05b1a58b7e0b4a5444ffb585c3facf7d001c434a9c34db81d6c9dfc452e3870
-
\Users\Admin\AppData\Local\Temp\tmpA140.dllFilesize
269KB
MD5c9c9eceda71bf20d0004e8b7c6396d0f
SHA11f72cabb64e1d9f02617d38ac00628304b4b6186
SHA256637cd9ccf15d57a50847fe566265575bc06e146e45673a0f47b96f9c12d212ac
SHA512117ea65a2eef8b9a3a5d3e0f9d62c77d58df12d3bd8e6a7090c034536e8969b5b05b1a58b7e0b4a5444ffb585c3facf7d001c434a9c34db81d6c9dfc452e3870
-
\Users\Admin\AppData\Local\Temp\tmpA140.dllFilesize
269KB
MD5c9c9eceda71bf20d0004e8b7c6396d0f
SHA11f72cabb64e1d9f02617d38ac00628304b4b6186
SHA256637cd9ccf15d57a50847fe566265575bc06e146e45673a0f47b96f9c12d212ac
SHA512117ea65a2eef8b9a3a5d3e0f9d62c77d58df12d3bd8e6a7090c034536e8969b5b05b1a58b7e0b4a5444ffb585c3facf7d001c434a9c34db81d6c9dfc452e3870
-
\Windows\Installer\MSI91C5.tmpFilesize
413KB
MD5cb3d847e4014f2681f11aa55d2eafb37
SHA127cf8bade4e787c4a3f51c9fd36f8c9f04c0b85e
SHA256f9d0d10de2d66ff63916772e8d2b757f1502c823a3c39202709ffbb9a4725b70
SHA512dc6b8167363a7f3cac3c37bd4db8b5d0e3ec4c97723874dd5073adf2de3c03665129ba7623aee7ec1d20beef54eba85d303f2cedecb86878b77ebe7ab18fbed0
-
\Windows\Installer\MSI91C5.tmpFilesize
413KB
MD5cb3d847e4014f2681f11aa55d2eafb37
SHA127cf8bade4e787c4a3f51c9fd36f8c9f04c0b85e
SHA256f9d0d10de2d66ff63916772e8d2b757f1502c823a3c39202709ffbb9a4725b70
SHA512dc6b8167363a7f3cac3c37bd4db8b5d0e3ec4c97723874dd5073adf2de3c03665129ba7623aee7ec1d20beef54eba85d303f2cedecb86878b77ebe7ab18fbed0
-
memory/316-72-0x0000000000120000-0x0000000000129000-memory.dmpFilesize
36KB
-
memory/316-66-0x0000000000000000-mapping.dmp
-
memory/556-60-0x0000000000000000-mapping.dmp
-
memory/556-64-0x000000001A320000-0x000000001A390000-memory.dmpFilesize
448KB
-
memory/556-63-0x0000000001E50000-0x0000000001E5A000-memory.dmpFilesize
40KB
-
memory/556-62-0x0000000000480000-0x00000000004AE000-memory.dmpFilesize
184KB
-
memory/904-54-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmpFilesize
8KB
-
memory/1460-56-0x0000000000000000-mapping.dmp