Analysis
-
max time kernel
151s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 06:29
Static task
static1
Behavioral task
behavioral1
Sample
wild_will.msi
Resource
win7-20220812-en
General
-
Target
wild_will.msi
-
Size
720KB
-
MD5
12fef89480f3c38d0949f7fd9458856d
-
SHA1
8ed8d7bf9c6ffc2934e5c9773692ded50f87ceec
-
SHA256
2bd43175f33d5e03ae53c00541a357c3578a158f56d8b20b9099a45ccebc801a
-
SHA512
0b4e9035905c9da6e7b0d8e0eeda3f6e7b8522135aec15eea14b85bb0966b5058f3443aa054983f00918b29fd3e699efca3a49030ee195c7b3f09d6c667e2a2f
-
SSDEEP
12288:pwHL0D7vkCPumy9chfA+t78B0igC+/NHB01SlF1:2HL0f/zyt+x8BtZKB6SD
Malware Config
Extracted
icedid
787509923
kamintrewftor.com
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 51 1092 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 2932 MsiExec.exe 5096 rundll32.exe 1092 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Installer\e5834d6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3592.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3592.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI3592.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI3592.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSI3DEF.tmp msiexec.exe File created C:\Windows\Installer\e5834d8.msi msiexec.exe File created C:\Windows\Installer\e5834d6.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI3592.tmp-\test.cs.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32.exemsiexec.exepid process 1092 rundll32.exe 1092 rundll32.exe 1092 rundll32.exe 1092 rundll32.exe 2624 msiexec.exe 2624 msiexec.exe 1092 rundll32.exe 1092 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4976 msiexec.exe Token: SeIncreaseQuotaPrivilege 4976 msiexec.exe Token: SeSecurityPrivilege 2624 msiexec.exe Token: SeCreateTokenPrivilege 4976 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4976 msiexec.exe Token: SeLockMemoryPrivilege 4976 msiexec.exe Token: SeIncreaseQuotaPrivilege 4976 msiexec.exe Token: SeMachineAccountPrivilege 4976 msiexec.exe Token: SeTcbPrivilege 4976 msiexec.exe Token: SeSecurityPrivilege 4976 msiexec.exe Token: SeTakeOwnershipPrivilege 4976 msiexec.exe Token: SeLoadDriverPrivilege 4976 msiexec.exe Token: SeSystemProfilePrivilege 4976 msiexec.exe Token: SeSystemtimePrivilege 4976 msiexec.exe Token: SeProfSingleProcessPrivilege 4976 msiexec.exe Token: SeIncBasePriorityPrivilege 4976 msiexec.exe Token: SeCreatePagefilePrivilege 4976 msiexec.exe Token: SeCreatePermanentPrivilege 4976 msiexec.exe Token: SeBackupPrivilege 4976 msiexec.exe Token: SeRestorePrivilege 4976 msiexec.exe Token: SeShutdownPrivilege 4976 msiexec.exe Token: SeDebugPrivilege 4976 msiexec.exe Token: SeAuditPrivilege 4976 msiexec.exe Token: SeSystemEnvironmentPrivilege 4976 msiexec.exe Token: SeChangeNotifyPrivilege 4976 msiexec.exe Token: SeRemoteShutdownPrivilege 4976 msiexec.exe Token: SeUndockPrivilege 4976 msiexec.exe Token: SeSyncAgentPrivilege 4976 msiexec.exe Token: SeEnableDelegationPrivilege 4976 msiexec.exe Token: SeManageVolumePrivilege 4976 msiexec.exe Token: SeImpersonatePrivilege 4976 msiexec.exe Token: SeCreateGlobalPrivilege 4976 msiexec.exe Token: SeBackupPrivilege 4880 vssvc.exe Token: SeRestorePrivilege 4880 vssvc.exe Token: SeAuditPrivilege 4880 vssvc.exe Token: SeBackupPrivilege 2624 msiexec.exe Token: SeRestorePrivilege 2624 msiexec.exe Token: SeRestorePrivilege 2624 msiexec.exe Token: SeTakeOwnershipPrivilege 2624 msiexec.exe Token: SeRestorePrivilege 2624 msiexec.exe Token: SeTakeOwnershipPrivilege 2624 msiexec.exe Token: SeRestorePrivilege 2624 msiexec.exe Token: SeTakeOwnershipPrivilege 2624 msiexec.exe Token: SeRestorePrivilege 2624 msiexec.exe Token: SeTakeOwnershipPrivilege 2624 msiexec.exe Token: SeRestorePrivilege 2624 msiexec.exe Token: SeTakeOwnershipPrivilege 2624 msiexec.exe Token: SeRestorePrivilege 2624 msiexec.exe Token: SeTakeOwnershipPrivilege 2624 msiexec.exe Token: SeRestorePrivilege 2624 msiexec.exe Token: SeTakeOwnershipPrivilege 2624 msiexec.exe Token: SeRestorePrivilege 2624 msiexec.exe Token: SeTakeOwnershipPrivilege 2624 msiexec.exe Token: SeRestorePrivilege 2624 msiexec.exe Token: SeTakeOwnershipPrivilege 2624 msiexec.exe Token: SeRestorePrivilege 2624 msiexec.exe Token: SeTakeOwnershipPrivilege 2624 msiexec.exe Token: SeRestorePrivilege 2624 msiexec.exe Token: SeTakeOwnershipPrivilege 2624 msiexec.exe Token: SeRestorePrivilege 2624 msiexec.exe Token: SeTakeOwnershipPrivilege 2624 msiexec.exe Token: SeRestorePrivilege 2624 msiexec.exe Token: SeTakeOwnershipPrivilege 2624 msiexec.exe Token: SeRestorePrivilege 2624 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4976 msiexec.exe 4976 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 2624 wrote to memory of 4712 2624 msiexec.exe srtasks.exe PID 2624 wrote to memory of 4712 2624 msiexec.exe srtasks.exe PID 2624 wrote to memory of 2932 2624 msiexec.exe MsiExec.exe PID 2624 wrote to memory of 2932 2624 msiexec.exe MsiExec.exe PID 2932 wrote to memory of 5096 2932 MsiExec.exe rundll32.exe PID 2932 wrote to memory of 5096 2932 MsiExec.exe rundll32.exe PID 5096 wrote to memory of 1092 5096 rundll32.exe rundll32.exe PID 5096 wrote to memory of 1092 5096 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wild_will.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 65D0D85A9C358FA53358A42734B050BF2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI3592.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240662062 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp388F.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp388F.dllFilesize
269KB
MD5c9c9eceda71bf20d0004e8b7c6396d0f
SHA11f72cabb64e1d9f02617d38ac00628304b4b6186
SHA256637cd9ccf15d57a50847fe566265575bc06e146e45673a0f47b96f9c12d212ac
SHA512117ea65a2eef8b9a3a5d3e0f9d62c77d58df12d3bd8e6a7090c034536e8969b5b05b1a58b7e0b4a5444ffb585c3facf7d001c434a9c34db81d6c9dfc452e3870
-
C:\Users\Admin\AppData\Local\Temp\tmp388F.dllFilesize
269KB
MD5c9c9eceda71bf20d0004e8b7c6396d0f
SHA11f72cabb64e1d9f02617d38ac00628304b4b6186
SHA256637cd9ccf15d57a50847fe566265575bc06e146e45673a0f47b96f9c12d212ac
SHA512117ea65a2eef8b9a3a5d3e0f9d62c77d58df12d3bd8e6a7090c034536e8969b5b05b1a58b7e0b4a5444ffb585c3facf7d001c434a9c34db81d6c9dfc452e3870
-
C:\Windows\Installer\MSI3592.tmpFilesize
413KB
MD5cb3d847e4014f2681f11aa55d2eafb37
SHA127cf8bade4e787c4a3f51c9fd36f8c9f04c0b85e
SHA256f9d0d10de2d66ff63916772e8d2b757f1502c823a3c39202709ffbb9a4725b70
SHA512dc6b8167363a7f3cac3c37bd4db8b5d0e3ec4c97723874dd5073adf2de3c03665129ba7623aee7ec1d20beef54eba85d303f2cedecb86878b77ebe7ab18fbed0
-
C:\Windows\Installer\MSI3592.tmpFilesize
413KB
MD5cb3d847e4014f2681f11aa55d2eafb37
SHA127cf8bade4e787c4a3f51c9fd36f8c9f04c0b85e
SHA256f9d0d10de2d66ff63916772e8d2b757f1502c823a3c39202709ffbb9a4725b70
SHA512dc6b8167363a7f3cac3c37bd4db8b5d0e3ec4c97723874dd5073adf2de3c03665129ba7623aee7ec1d20beef54eba85d303f2cedecb86878b77ebe7ab18fbed0
-
C:\Windows\Installer\MSI3592.tmpFilesize
413KB
MD5cb3d847e4014f2681f11aa55d2eafb37
SHA127cf8bade4e787c4a3f51c9fd36f8c9f04c0b85e
SHA256f9d0d10de2d66ff63916772e8d2b757f1502c823a3c39202709ffbb9a4725b70
SHA512dc6b8167363a7f3cac3c37bd4db8b5d0e3ec4c97723874dd5073adf2de3c03665129ba7623aee7ec1d20beef54eba85d303f2cedecb86878b77ebe7ab18fbed0
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD560ebbd34e80216aa818d122e5ddac7cc
SHA1c3a7766c3dfb26ffbcb17a904074bb2801764b42
SHA256873a0c7f7abc54634d055668e698f20685fa82ec01ffd25881a0435849a6cce2
SHA512d552e0b8602f7accaf2a1ffb1810847642a49d18a25461064b7e354eff5688ce8acc8115c3879e411f4f8dd6ecf9c57d2876ef6ec12c6a981d99266f183ca89c
-
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e130cffa-f28a-4bdc-9d36-b0d45a197dcb}_OnDiskSnapshotPropFilesize
5KB
MD5b4bd4d7f103f48bb956716c7bc1bef9c
SHA1828bc9a663d4e8b2524d832462ceca06ca9af694
SHA256bdd48661637f3a8fc5d0f9dceddc1799d3bf81903ed867ef0155d6658b76f0fe
SHA512ff183eafd06449bded1525dc02ea7a56a9aabdd44caaa05472dd85171ed00942b3cf926d8f8e47f71afbc5476541f228c56b2a439bd81bfc2ef2c6f28f6e4d11
-
memory/1092-145-0x0000019BD5CB0000-0x0000019BD5CB9000-memory.dmpFilesize
36KB
-
memory/1092-142-0x0000000000000000-mapping.dmp
-
memory/2932-133-0x0000000000000000-mapping.dmp
-
memory/4712-132-0x0000000000000000-mapping.dmp
-
memory/5096-136-0x0000000000000000-mapping.dmp
-
memory/5096-141-0x00007FFC657B0000-0x00007FFC66271000-memory.dmpFilesize
10.8MB
-
memory/5096-140-0x000001F8F85A0000-0x000001F8F8610000-memory.dmpFilesize
448KB
-
memory/5096-147-0x00007FFC657B0000-0x00007FFC66271000-memory.dmpFilesize
10.8MB
-
memory/5096-139-0x000001F8F84D0000-0x000001F8F84DA000-memory.dmpFilesize
40KB
-
memory/5096-138-0x000001F8F8500000-0x000001F8F852E000-memory.dmpFilesize
184KB