Analysis
-
max time kernel
261s -
max time network
271s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 11:28
Static task
static1
Behavioral task
behavioral1
Sample
build-052.msi
Resource
win7-20220901-en
General
-
Target
build-052.msi
-
Size
720KB
-
MD5
5241275990f43d896fee78d1d72757e3
-
SHA1
8d825da07a5ccb9e518c518ea4d61c9b8374e63b
-
SHA256
cbc31e48f08c7d1877246e6759edee70cecdfc76416a7b7f7ca0feede3355b93
-
SHA512
1b417940bbdb56f63533ac380fb288870e095fa8f491bed472e171c7eab3d4090edeb72f90b2b21330eaad8ebb8a25dded4db470d5d3b13087ad707b97ae6f4e
-
SSDEEP
12288:ywHL0D7hkCPumy9chfA+t58B0igC+/NHBnn1SCSR:jHL0R/zyt+X8BtZKBn1SD
Malware Config
Extracted
icedid
787509923
kamintrewftor.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 30 1544 rundll32.exe 71 1544 rundll32.exe 94 1544 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 4664 MsiExec.exe 5104 rundll32.exe 1544 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
rundll32.exemsiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI8AEA.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\e578a6d.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI8AEA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8AEA.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI8AEA.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI8AEA.tmp-\WixSharp.dll rundll32.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSI920F.tmp msiexec.exe File created C:\Windows\Installer\e578a6d.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e578a6f.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msiexec.exerundll32.exepid process 3500 msiexec.exe 3500 msiexec.exe 1544 rundll32.exe 1544 rundll32.exe 1544 rundll32.exe 1544 rundll32.exe 1544 rundll32.exe 1544 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1492 msiexec.exe Token: SeIncreaseQuotaPrivilege 1492 msiexec.exe Token: SeSecurityPrivilege 3500 msiexec.exe Token: SeCreateTokenPrivilege 1492 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1492 msiexec.exe Token: SeLockMemoryPrivilege 1492 msiexec.exe Token: SeIncreaseQuotaPrivilege 1492 msiexec.exe Token: SeMachineAccountPrivilege 1492 msiexec.exe Token: SeTcbPrivilege 1492 msiexec.exe Token: SeSecurityPrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeLoadDriverPrivilege 1492 msiexec.exe Token: SeSystemProfilePrivilege 1492 msiexec.exe Token: SeSystemtimePrivilege 1492 msiexec.exe Token: SeProfSingleProcessPrivilege 1492 msiexec.exe Token: SeIncBasePriorityPrivilege 1492 msiexec.exe Token: SeCreatePagefilePrivilege 1492 msiexec.exe Token: SeCreatePermanentPrivilege 1492 msiexec.exe Token: SeBackupPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeShutdownPrivilege 1492 msiexec.exe Token: SeDebugPrivilege 1492 msiexec.exe Token: SeAuditPrivilege 1492 msiexec.exe Token: SeSystemEnvironmentPrivilege 1492 msiexec.exe Token: SeChangeNotifyPrivilege 1492 msiexec.exe Token: SeRemoteShutdownPrivilege 1492 msiexec.exe Token: SeUndockPrivilege 1492 msiexec.exe Token: SeSyncAgentPrivilege 1492 msiexec.exe Token: SeEnableDelegationPrivilege 1492 msiexec.exe Token: SeManageVolumePrivilege 1492 msiexec.exe Token: SeImpersonatePrivilege 1492 msiexec.exe Token: SeCreateGlobalPrivilege 1492 msiexec.exe Token: SeBackupPrivilege 1896 vssvc.exe Token: SeRestorePrivilege 1896 vssvc.exe Token: SeAuditPrivilege 1896 vssvc.exe Token: SeBackupPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeTakeOwnershipPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeTakeOwnershipPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeTakeOwnershipPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeTakeOwnershipPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeTakeOwnershipPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeTakeOwnershipPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeTakeOwnershipPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeTakeOwnershipPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeTakeOwnershipPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeTakeOwnershipPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeTakeOwnershipPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeTakeOwnershipPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeTakeOwnershipPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1492 msiexec.exe 1492 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 3500 wrote to memory of 5000 3500 msiexec.exe srtasks.exe PID 3500 wrote to memory of 5000 3500 msiexec.exe srtasks.exe PID 3500 wrote to memory of 4664 3500 msiexec.exe MsiExec.exe PID 3500 wrote to memory of 4664 3500 msiexec.exe MsiExec.exe PID 4664 wrote to memory of 5104 4664 MsiExec.exe rundll32.exe PID 4664 wrote to memory of 5104 4664 MsiExec.exe rundll32.exe PID 5104 wrote to memory of 1544 5104 rundll32.exe rundll32.exe PID 5104 wrote to memory of 1544 5104 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-052.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding FA2C6966E6BA3840B7E1B4AFFE6F3D752⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI8AEA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240618312 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp8E07.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8E07.dllFilesize
269KB
MD5c867efbbecf7c0d11ba068a1b2463b16
SHA1b2a18f3aa7c03644c358c9b91b79355c9988a2e2
SHA2568f742aa9d35ec9bc6ebde2ccdf22f0d90f7087de8c4a7075e1d96d871ea58dd0
SHA5128301a8613963d0bcb2974e02414da0bf513e324d223a9992368768b947e0ed791507344fb3401fcc704e8104df1808739991c3f5455bc03ed11bc84467a4c1c1
-
C:\Users\Admin\AppData\Local\Temp\tmp8E07.dllFilesize
269KB
MD5c867efbbecf7c0d11ba068a1b2463b16
SHA1b2a18f3aa7c03644c358c9b91b79355c9988a2e2
SHA2568f742aa9d35ec9bc6ebde2ccdf22f0d90f7087de8c4a7075e1d96d871ea58dd0
SHA5128301a8613963d0bcb2974e02414da0bf513e324d223a9992368768b947e0ed791507344fb3401fcc704e8104df1808739991c3f5455bc03ed11bc84467a4c1c1
-
C:\Windows\Installer\MSI8AEA.tmpFilesize
413KB
MD59f9040acb62b821b269dba5a663769fb
SHA11fd7c7c0deca523cdee0f1a976f6c05606504d7f
SHA2561eced6518d477be3169257286405ec87ec1084f00560ea223c3aa05b6bac08fa
SHA512f9517856e8521fe2c5a23b603e8b6845bd17c6a467bbcd64425c1467137b877f30c27f5d79c8a84faeaf9bb309ebe3b3231f876655553f2e63ba6a72a6057502
-
C:\Windows\Installer\MSI8AEA.tmpFilesize
413KB
MD59f9040acb62b821b269dba5a663769fb
SHA11fd7c7c0deca523cdee0f1a976f6c05606504d7f
SHA2561eced6518d477be3169257286405ec87ec1084f00560ea223c3aa05b6bac08fa
SHA512f9517856e8521fe2c5a23b603e8b6845bd17c6a467bbcd64425c1467137b877f30c27f5d79c8a84faeaf9bb309ebe3b3231f876655553f2e63ba6a72a6057502
-
C:\Windows\Installer\MSI8AEA.tmpFilesize
413KB
MD59f9040acb62b821b269dba5a663769fb
SHA11fd7c7c0deca523cdee0f1a976f6c05606504d7f
SHA2561eced6518d477be3169257286405ec87ec1084f00560ea223c3aa05b6bac08fa
SHA512f9517856e8521fe2c5a23b603e8b6845bd17c6a467bbcd64425c1467137b877f30c27f5d79c8a84faeaf9bb309ebe3b3231f876655553f2e63ba6a72a6057502
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD558fe6cb9d9fe6b6d872d5fece182d369
SHA1b1fcac0293f5debf65cc7fdb4b08c644e99da36c
SHA2567a0201dc0215976b3a993cddb18760d5e90183e2cd43a79cd0526c41705a26fa
SHA5127f26582f365cdf9fa85844ef488e4c97a417849e08083b6232e4595e13eff23de793baa0840e0901a38d9816cd5d64d4833f32a8bb174294550523e69445fff8
-
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f9940d9e-4ebd-412a-b806-4782f2b5e1b2}_OnDiskSnapshotPropFilesize
5KB
MD517d741b65722df5953c2fcb81b252c95
SHA103da6edabb61e4116309f6174f0fe6cfd84a0273
SHA25696f87db0d974c8566f2d4b118d24cf8cbafecd7593314653c344bcdcf5f7b1a8
SHA512d7c0c35029766529ae72508aea81d97fcd9fbc20a081c4b1211819d82684d5290eec12ef2c961c25883ab8b0dd443d6009f986f6820eba7a03e59942cfcb5f25
-
memory/1544-144-0x000001EA3FF10000-0x000001EA3FF19000-memory.dmpFilesize
36KB
-
memory/1544-141-0x0000000000000000-mapping.dmp
-
memory/4664-133-0x0000000000000000-mapping.dmp
-
memory/5000-132-0x0000000000000000-mapping.dmp
-
memory/5104-136-0x0000000000000000-mapping.dmp
-
memory/5104-140-0x00000169A8930000-0x00000169A89A0000-memory.dmpFilesize
448KB
-
memory/5104-146-0x00007FFEA5140000-0x00007FFEA5C01000-memory.dmpFilesize
10.8MB
-
memory/5104-139-0x000001698EA70000-0x000001698EA7A000-memory.dmpFilesize
40KB
-
memory/5104-138-0x0000016990510000-0x000001699053E000-memory.dmpFilesize
184KB
-
memory/5104-153-0x00007FFEA5140000-0x00007FFEA5C01000-memory.dmpFilesize
10.8MB