Overview

overview

10

Static

static

build-052.msi

windows7-x64

6

build-052.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    261s
  • max time network
    271s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 11:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    build-052.msi

  • Size

    720KB

  • MD5

    5241275990f43d896fee78d1d72757e3

  • SHA1

    8d825da07a5ccb9e518c518ea4d61c9b8374e63b

  • SHA256

    cbc31e48f08c7d1877246e6759edee70cecdfc76416a7b7f7ca0feede3355b93

  • SHA512

    1b417940bbdb56f63533ac380fb288870e095fa8f491bed472e171c7eab3d4090edeb72f90b2b21330eaad8ebb8a25dded4db470d5d3b13087ad707b97ae6f4e

  • SSDEEP

    12288:ywHL0D7hkCPumy9chfA+t58B0igC+/NHBnn1SCSR:jHL0R/zyt+X8BtZKBn1SD

Score
10/10
icedid787509923bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

787509923

C2

kamintrewftor.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-052.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1492
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:5000
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding FA2C6966E6BA3840B7E1B4AFFE6F3D75
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4664
        • C:\Windows\system32\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSI8AEA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240618312 2 test.cs!Test.CustomActions.MyAction
          3⤵
          • Checks computer location settings
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:5104
          • C:\Windows\System32\rundll32.exe
            "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp8E07.dll",init
            4⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:1544
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:1896

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    2
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp8E07.dll
      Filesize

      269KB

      MD5

      c867efbbecf7c0d11ba068a1b2463b16

      SHA1

      b2a18f3aa7c03644c358c9b91b79355c9988a2e2

      SHA256

      8f742aa9d35ec9bc6ebde2ccdf22f0d90f7087de8c4a7075e1d96d871ea58dd0

      SHA512

      8301a8613963d0bcb2974e02414da0bf513e324d223a9992368768b947e0ed791507344fb3401fcc704e8104df1808739991c3f5455bc03ed11bc84467a4c1c1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp8E07.dll
      Filesize

      269KB

      MD5

      c867efbbecf7c0d11ba068a1b2463b16

      SHA1

      b2a18f3aa7c03644c358c9b91b79355c9988a2e2

      SHA256

      8f742aa9d35ec9bc6ebde2ccdf22f0d90f7087de8c4a7075e1d96d871ea58dd0

      SHA512

      8301a8613963d0bcb2974e02414da0bf513e324d223a9992368768b947e0ed791507344fb3401fcc704e8104df1808739991c3f5455bc03ed11bc84467a4c1c1

      Download Submit
    • C:\Windows\Installer\MSI8AEA.tmp
      Filesize

      413KB

      MD5

      9f9040acb62b821b269dba5a663769fb

      SHA1

      1fd7c7c0deca523cdee0f1a976f6c05606504d7f

      SHA256

      1eced6518d477be3169257286405ec87ec1084f00560ea223c3aa05b6bac08fa

      SHA512

      f9517856e8521fe2c5a23b603e8b6845bd17c6a467bbcd64425c1467137b877f30c27f5d79c8a84faeaf9bb309ebe3b3231f876655553f2e63ba6a72a6057502

      Download Submit
    • C:\Windows\Installer\MSI8AEA.tmp
      Filesize

      413KB

      MD5

      9f9040acb62b821b269dba5a663769fb

      SHA1

      1fd7c7c0deca523cdee0f1a976f6c05606504d7f

      SHA256

      1eced6518d477be3169257286405ec87ec1084f00560ea223c3aa05b6bac08fa

      SHA512

      f9517856e8521fe2c5a23b603e8b6845bd17c6a467bbcd64425c1467137b877f30c27f5d79c8a84faeaf9bb309ebe3b3231f876655553f2e63ba6a72a6057502

      Download Submit
    • C:\Windows\Installer\MSI8AEA.tmp
      Filesize

      413KB

      MD5

      9f9040acb62b821b269dba5a663769fb

      SHA1

      1fd7c7c0deca523cdee0f1a976f6c05606504d7f

      SHA256

      1eced6518d477be3169257286405ec87ec1084f00560ea223c3aa05b6bac08fa

      SHA512

      f9517856e8521fe2c5a23b603e8b6845bd17c6a467bbcd64425c1467137b877f30c27f5d79c8a84faeaf9bb309ebe3b3231f876655553f2e63ba6a72a6057502

      Download Submit
    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.0MB

      MD5

      58fe6cb9d9fe6b6d872d5fece182d369

      SHA1

      b1fcac0293f5debf65cc7fdb4b08c644e99da36c

      SHA256

      7a0201dc0215976b3a993cddb18760d5e90183e2cd43a79cd0526c41705a26fa

      SHA512

      7f26582f365cdf9fa85844ef488e4c97a417849e08083b6232e4595e13eff23de793baa0840e0901a38d9816cd5d64d4833f32a8bb174294550523e69445fff8

      Download Submit
    • \??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f9940d9e-4ebd-412a-b806-4782f2b5e1b2}_OnDiskSnapshotProp
      Filesize

      5KB

      MD5

      17d741b65722df5953c2fcb81b252c95

      SHA1

      03da6edabb61e4116309f6174f0fe6cfd84a0273

      SHA256

      96f87db0d974c8566f2d4b118d24cf8cbafecd7593314653c344bcdcf5f7b1a8

      SHA512

      d7c0c35029766529ae72508aea81d97fcd9fbc20a081c4b1211819d82684d5290eec12ef2c961c25883ab8b0dd443d6009f986f6820eba7a03e59942cfcb5f25

      Download Submit
    • memory/1544-144-0x000001EA3FF10000-0x000001EA3FF19000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1544-141-0x0000000000000000-mapping.dmp
      Download
    • memory/4664-133-0x0000000000000000-mapping.dmp
      Download
    • memory/5000-132-0x0000000000000000-mapping.dmp
      Download
    • memory/5104-136-0x0000000000000000-mapping.dmp
      Download
    • memory/5104-140-0x00000169A8930000-0x00000169A89A0000-memory.dmp
      Filesize

      448KB

      Download
    • memory/5104-146-0x00007FFEA5140000-0x00007FFEA5C01000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5104-139-0x000001698EA70000-0x000001698EA7A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/5104-138-0x0000016990510000-0x000001699053E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/5104-153-0x00007FFEA5140000-0x00007FFEA5C01000-memory.dmp
      Filesize

      10.8MB

      Download