Analysis
-
max time kernel
173s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 19:23
Static task
static1
Behavioral task
behavioral1
Sample
document_133_invoice#PDF.msi
Resource
win7-20221111-en
General
-
Target
document_133_invoice#PDF.msi
-
Size
660KB
-
MD5
76bf2b13ab0bdb12c1b8fc474fb9984e
-
SHA1
8c90ecad73788a40c93ca6a6411c79c581216cee
-
SHA256
070f9169977c766c426e9c1a8161a40f54a068ef7cc1c3090d226e87dc890095
-
SHA512
8945defdd78c03c0e62ac636657835e70210afba5ade7a8f9eab8c6725371b30a9ad26820ed57a0d7fe2b5af6bf2ab18a06ed6adb35c6203ae0dfd1057fd01be
-
SSDEEP
12288:nwHL0D7CkCPumy9chfA+tO5O//M777777LwmqLuSgF3u:wHL0S/zyt+M5OX/qtF3u
Malware Config
Extracted
icedid
764376559
saintrefunda.com
Signatures
-
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 280 MsiExec.exe 1552 rundll32.exe 1952 rundll32.exe 1952 rundll32.exe 1952 rundll32.exe 1952 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Drops file in Windows directory 12 IoCs
Processes:
msiexec.exerundll32.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\6f4423.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI44AF.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI44AF.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\6f4424.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI44AF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI44AF.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI44AF.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\6f4423.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 872 msiexec.exe 872 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 768 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 768 msiexec.exe Token: SeIncreaseQuotaPrivilege 768 msiexec.exe Token: SeRestorePrivilege 872 msiexec.exe Token: SeTakeOwnershipPrivilege 872 msiexec.exe Token: SeSecurityPrivilege 872 msiexec.exe Token: SeCreateTokenPrivilege 768 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 768 msiexec.exe Token: SeLockMemoryPrivilege 768 msiexec.exe Token: SeIncreaseQuotaPrivilege 768 msiexec.exe Token: SeMachineAccountPrivilege 768 msiexec.exe Token: SeTcbPrivilege 768 msiexec.exe Token: SeSecurityPrivilege 768 msiexec.exe Token: SeTakeOwnershipPrivilege 768 msiexec.exe Token: SeLoadDriverPrivilege 768 msiexec.exe Token: SeSystemProfilePrivilege 768 msiexec.exe Token: SeSystemtimePrivilege 768 msiexec.exe Token: SeProfSingleProcessPrivilege 768 msiexec.exe Token: SeIncBasePriorityPrivilege 768 msiexec.exe Token: SeCreatePagefilePrivilege 768 msiexec.exe Token: SeCreatePermanentPrivilege 768 msiexec.exe Token: SeBackupPrivilege 768 msiexec.exe Token: SeRestorePrivilege 768 msiexec.exe Token: SeShutdownPrivilege 768 msiexec.exe Token: SeDebugPrivilege 768 msiexec.exe Token: SeAuditPrivilege 768 msiexec.exe Token: SeSystemEnvironmentPrivilege 768 msiexec.exe Token: SeChangeNotifyPrivilege 768 msiexec.exe Token: SeRemoteShutdownPrivilege 768 msiexec.exe Token: SeUndockPrivilege 768 msiexec.exe Token: SeSyncAgentPrivilege 768 msiexec.exe Token: SeEnableDelegationPrivilege 768 msiexec.exe Token: SeManageVolumePrivilege 768 msiexec.exe Token: SeImpersonatePrivilege 768 msiexec.exe Token: SeCreateGlobalPrivilege 768 msiexec.exe Token: SeBackupPrivilege 1332 vssvc.exe Token: SeRestorePrivilege 1332 vssvc.exe Token: SeAuditPrivilege 1332 vssvc.exe Token: SeBackupPrivilege 872 msiexec.exe Token: SeRestorePrivilege 872 msiexec.exe Token: SeRestorePrivilege 832 DrvInst.exe Token: SeRestorePrivilege 832 DrvInst.exe Token: SeRestorePrivilege 832 DrvInst.exe Token: SeRestorePrivilege 832 DrvInst.exe Token: SeRestorePrivilege 832 DrvInst.exe Token: SeRestorePrivilege 832 DrvInst.exe Token: SeRestorePrivilege 832 DrvInst.exe Token: SeLoadDriverPrivilege 832 DrvInst.exe Token: SeLoadDriverPrivilege 832 DrvInst.exe Token: SeLoadDriverPrivilege 832 DrvInst.exe Token: SeRestorePrivilege 872 msiexec.exe Token: SeTakeOwnershipPrivilege 872 msiexec.exe Token: SeRestorePrivilege 872 msiexec.exe Token: SeTakeOwnershipPrivilege 872 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 768 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 872 wrote to memory of 280 872 msiexec.exe MsiExec.exe PID 872 wrote to memory of 280 872 msiexec.exe MsiExec.exe PID 872 wrote to memory of 280 872 msiexec.exe MsiExec.exe PID 872 wrote to memory of 280 872 msiexec.exe MsiExec.exe PID 872 wrote to memory of 280 872 msiexec.exe MsiExec.exe PID 280 wrote to memory of 1552 280 MsiExec.exe rundll32.exe PID 280 wrote to memory of 1552 280 MsiExec.exe rundll32.exe PID 280 wrote to memory of 1552 280 MsiExec.exe rundll32.exe PID 1552 wrote to memory of 1952 1552 rundll32.exe rundll32.exe PID 1552 wrote to memory of 1952 1552 rundll32.exe rundll32.exe PID 1552 wrote to memory of 1952 1552 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\document_133_invoice#PDF.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 29C15E1222C07DAD8C7F89DEBAAD01B22⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI44AF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7292313 1 test.cs!Test.CustomActions.MyAction3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp4F88.dll",init4⤵
- Loads dropped DLL
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000320"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4F88.dllFilesize
209KB
MD59cdcf94f409858d32e40e9aef7d271da
SHA1c6d3606543c811e6d358ae4a922b6b33c2166a65
SHA2569a9a70427875d55a1ee596b0e7066021d2bbf51b47b2421de8bb098ac47e473c
SHA51294e09710d881a6e7a143eab3c6cd2e04c6fe79cfa5980ea514c5a4130a7f160f6452b71bc4b58ceffc67c3d92ee20e72bb76745b551caf41d440ce91dc3e78f0
-
C:\Windows\Installer\MSI44AF.tmpFilesize
413KB
MD536d4ec822441ec5f0e0b4c10e15efb7e
SHA1da738e9e0b85ac72662c5cd3f08ce75f12cb0abb
SHA256a928e3d91e8fbff0a66c704ded9c8b667bd37e190cd8496e72dfc7bd1635a564
SHA51264c7146993c09d486480767cc9db516aba9d7b27898d8c94c6ea82de485445527f9743319c8b33cdd4dc4877a852007e66c6a081f28204566c9a7865175646a0
-
\Users\Admin\AppData\Local\Temp\tmp4F88.dllFilesize
209KB
MD59cdcf94f409858d32e40e9aef7d271da
SHA1c6d3606543c811e6d358ae4a922b6b33c2166a65
SHA2569a9a70427875d55a1ee596b0e7066021d2bbf51b47b2421de8bb098ac47e473c
SHA51294e09710d881a6e7a143eab3c6cd2e04c6fe79cfa5980ea514c5a4130a7f160f6452b71bc4b58ceffc67c3d92ee20e72bb76745b551caf41d440ce91dc3e78f0
-
\Users\Admin\AppData\Local\Temp\tmp4F88.dllFilesize
209KB
MD59cdcf94f409858d32e40e9aef7d271da
SHA1c6d3606543c811e6d358ae4a922b6b33c2166a65
SHA2569a9a70427875d55a1ee596b0e7066021d2bbf51b47b2421de8bb098ac47e473c
SHA51294e09710d881a6e7a143eab3c6cd2e04c6fe79cfa5980ea514c5a4130a7f160f6452b71bc4b58ceffc67c3d92ee20e72bb76745b551caf41d440ce91dc3e78f0
-
\Users\Admin\AppData\Local\Temp\tmp4F88.dllFilesize
209KB
MD59cdcf94f409858d32e40e9aef7d271da
SHA1c6d3606543c811e6d358ae4a922b6b33c2166a65
SHA2569a9a70427875d55a1ee596b0e7066021d2bbf51b47b2421de8bb098ac47e473c
SHA51294e09710d881a6e7a143eab3c6cd2e04c6fe79cfa5980ea514c5a4130a7f160f6452b71bc4b58ceffc67c3d92ee20e72bb76745b551caf41d440ce91dc3e78f0
-
\Users\Admin\AppData\Local\Temp\tmp4F88.dllFilesize
209KB
MD59cdcf94f409858d32e40e9aef7d271da
SHA1c6d3606543c811e6d358ae4a922b6b33c2166a65
SHA2569a9a70427875d55a1ee596b0e7066021d2bbf51b47b2421de8bb098ac47e473c
SHA51294e09710d881a6e7a143eab3c6cd2e04c6fe79cfa5980ea514c5a4130a7f160f6452b71bc4b58ceffc67c3d92ee20e72bb76745b551caf41d440ce91dc3e78f0
-
\Windows\Installer\MSI44AF.tmpFilesize
413KB
MD536d4ec822441ec5f0e0b4c10e15efb7e
SHA1da738e9e0b85ac72662c5cd3f08ce75f12cb0abb
SHA256a928e3d91e8fbff0a66c704ded9c8b667bd37e190cd8496e72dfc7bd1635a564
SHA51264c7146993c09d486480767cc9db516aba9d7b27898d8c94c6ea82de485445527f9743319c8b33cdd4dc4877a852007e66c6a081f28204566c9a7865175646a0
-
\Windows\Installer\MSI44AF.tmpFilesize
413KB
MD536d4ec822441ec5f0e0b4c10e15efb7e
SHA1da738e9e0b85ac72662c5cd3f08ce75f12cb0abb
SHA256a928e3d91e8fbff0a66c704ded9c8b667bd37e190cd8496e72dfc7bd1635a564
SHA51264c7146993c09d486480767cc9db516aba9d7b27898d8c94c6ea82de485445527f9743319c8b33cdd4dc4877a852007e66c6a081f28204566c9a7865175646a0
-
memory/280-56-0x0000000000000000-mapping.dmp
-
memory/768-54-0x000007FEFB971000-0x000007FEFB973000-memory.dmpFilesize
8KB
-
memory/1552-60-0x0000000000000000-mapping.dmp
-
memory/1552-64-0x0000000001EE0000-0x0000000001F50000-memory.dmpFilesize
448KB
-
memory/1552-63-0x0000000001ED0000-0x0000000001EDA000-memory.dmpFilesize
40KB
-
memory/1552-62-0x0000000001BB0000-0x0000000001BDE000-memory.dmpFilesize
184KB
-
memory/1952-66-0x0000000000000000-mapping.dmp
-
memory/1952-72-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB