Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 19:23
Static task
static1
Behavioral task
behavioral1
Sample
document_133_invoice#PDF.msi
Resource
win7-20221111-en
General
-
Target
document_133_invoice#PDF.msi
-
Size
660KB
-
MD5
76bf2b13ab0bdb12c1b8fc474fb9984e
-
SHA1
8c90ecad73788a40c93ca6a6411c79c581216cee
-
SHA256
070f9169977c766c426e9c1a8161a40f54a068ef7cc1c3090d226e87dc890095
-
SHA512
8945defdd78c03c0e62ac636657835e70210afba5ade7a8f9eab8c6725371b30a9ad26820ed57a0d7fe2b5af6bf2ab18a06ed6adb35c6203ae0dfd1057fd01be
-
SSDEEP
12288:nwHL0D7CkCPumy9chfA+tO5O//M777777LwmqLuSgF3u:wHL0S/zyt+M5OX/qtF3u
Malware Config
Extracted
icedid
764376559
saintrefunda.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 16 428 rundll32.exe 42 428 rundll32.exe 44 428 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 440 MsiExec.exe 5016 rundll32.exe 428 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI13F5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI13F5.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI13F5.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI13F5.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI1ACC.tmp msiexec.exe File created C:\Windows\Installer\e571369.msi msiexec.exe File opened for modification C:\Windows\Installer\e571369.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI13F5.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File created C:\Windows\Installer\e57136b.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000045e03923b2b2bc3e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000045e039230000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090045e03923000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 3964 msiexec.exe 3964 msiexec.exe 428 rundll32.exe 428 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 3376 msiexec.exe Token: SeIncreaseQuotaPrivilege 3376 msiexec.exe Token: SeSecurityPrivilege 3964 msiexec.exe Token: SeCreateTokenPrivilege 3376 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3376 msiexec.exe Token: SeLockMemoryPrivilege 3376 msiexec.exe Token: SeIncreaseQuotaPrivilege 3376 msiexec.exe Token: SeMachineAccountPrivilege 3376 msiexec.exe Token: SeTcbPrivilege 3376 msiexec.exe Token: SeSecurityPrivilege 3376 msiexec.exe Token: SeTakeOwnershipPrivilege 3376 msiexec.exe Token: SeLoadDriverPrivilege 3376 msiexec.exe Token: SeSystemProfilePrivilege 3376 msiexec.exe Token: SeSystemtimePrivilege 3376 msiexec.exe Token: SeProfSingleProcessPrivilege 3376 msiexec.exe Token: SeIncBasePriorityPrivilege 3376 msiexec.exe Token: SeCreatePagefilePrivilege 3376 msiexec.exe Token: SeCreatePermanentPrivilege 3376 msiexec.exe Token: SeBackupPrivilege 3376 msiexec.exe Token: SeRestorePrivilege 3376 msiexec.exe Token: SeShutdownPrivilege 3376 msiexec.exe Token: SeDebugPrivilege 3376 msiexec.exe Token: SeAuditPrivilege 3376 msiexec.exe Token: SeSystemEnvironmentPrivilege 3376 msiexec.exe Token: SeChangeNotifyPrivilege 3376 msiexec.exe Token: SeRemoteShutdownPrivilege 3376 msiexec.exe Token: SeUndockPrivilege 3376 msiexec.exe Token: SeSyncAgentPrivilege 3376 msiexec.exe Token: SeEnableDelegationPrivilege 3376 msiexec.exe Token: SeManageVolumePrivilege 3376 msiexec.exe Token: SeImpersonatePrivilege 3376 msiexec.exe Token: SeCreateGlobalPrivilege 3376 msiexec.exe Token: SeBackupPrivilege 1032 vssvc.exe Token: SeRestorePrivilege 1032 vssvc.exe Token: SeAuditPrivilege 1032 vssvc.exe Token: SeBackupPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe Token: SeTakeOwnershipPrivilege 3964 msiexec.exe Token: SeRestorePrivilege 3964 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 3376 msiexec.exe 3376 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 3964 wrote to memory of 2036 3964 msiexec.exe srtasks.exe PID 3964 wrote to memory of 2036 3964 msiexec.exe srtasks.exe PID 3964 wrote to memory of 440 3964 msiexec.exe MsiExec.exe PID 3964 wrote to memory of 440 3964 msiexec.exe MsiExec.exe PID 440 wrote to memory of 5016 440 MsiExec.exe rundll32.exe PID 440 wrote to memory of 5016 440 MsiExec.exe rundll32.exe PID 5016 wrote to memory of 428 5016 rundll32.exe rundll32.exe PID 5016 wrote to memory of 428 5016 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\document_133_invoice#PDF.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 6B754554FB7A452E1C892055FEDEA6F42⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI13F5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240587921 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp1731.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1731.dllFilesize
209KB
MD59cdcf94f409858d32e40e9aef7d271da
SHA1c6d3606543c811e6d358ae4a922b6b33c2166a65
SHA2569a9a70427875d55a1ee596b0e7066021d2bbf51b47b2421de8bb098ac47e473c
SHA51294e09710d881a6e7a143eab3c6cd2e04c6fe79cfa5980ea514c5a4130a7f160f6452b71bc4b58ceffc67c3d92ee20e72bb76745b551caf41d440ce91dc3e78f0
-
C:\Users\Admin\AppData\Local\Temp\tmp1731.dllFilesize
209KB
MD59cdcf94f409858d32e40e9aef7d271da
SHA1c6d3606543c811e6d358ae4a922b6b33c2166a65
SHA2569a9a70427875d55a1ee596b0e7066021d2bbf51b47b2421de8bb098ac47e473c
SHA51294e09710d881a6e7a143eab3c6cd2e04c6fe79cfa5980ea514c5a4130a7f160f6452b71bc4b58ceffc67c3d92ee20e72bb76745b551caf41d440ce91dc3e78f0
-
C:\Windows\Installer\MSI13F5.tmpFilesize
413KB
MD536d4ec822441ec5f0e0b4c10e15efb7e
SHA1da738e9e0b85ac72662c5cd3f08ce75f12cb0abb
SHA256a928e3d91e8fbff0a66c704ded9c8b667bd37e190cd8496e72dfc7bd1635a564
SHA51264c7146993c09d486480767cc9db516aba9d7b27898d8c94c6ea82de485445527f9743319c8b33cdd4dc4877a852007e66c6a081f28204566c9a7865175646a0
-
C:\Windows\Installer\MSI13F5.tmpFilesize
413KB
MD536d4ec822441ec5f0e0b4c10e15efb7e
SHA1da738e9e0b85ac72662c5cd3f08ce75f12cb0abb
SHA256a928e3d91e8fbff0a66c704ded9c8b667bd37e190cd8496e72dfc7bd1635a564
SHA51264c7146993c09d486480767cc9db516aba9d7b27898d8c94c6ea82de485445527f9743319c8b33cdd4dc4877a852007e66c6a081f28204566c9a7865175646a0
-
C:\Windows\Installer\MSI13F5.tmpFilesize
413KB
MD536d4ec822441ec5f0e0b4c10e15efb7e
SHA1da738e9e0b85ac72662c5cd3f08ce75f12cb0abb
SHA256a928e3d91e8fbff0a66c704ded9c8b667bd37e190cd8496e72dfc7bd1635a564
SHA51264c7146993c09d486480767cc9db516aba9d7b27898d8c94c6ea82de485445527f9743319c8b33cdd4dc4877a852007e66c6a081f28204566c9a7865175646a0
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
11.8MB
MD57da2b4f97668c3071344c93ce9980457
SHA177fc0d366ddae2da16cec6b235075af7bf063cbc
SHA2564649e1c66f9a041938a95b9882d9dcf38c7ef5915c38283ae8162be1194dde49
SHA51261826469e9cc457612db945296b6a1212c946345e197ce46ac347c497f722de232bf1748d0354c0cc0aab5fb2567d3409cd43c36659f44c25e99ec5604196493
-
\??\Volume{2339e045-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5f6642db-c50e-485c-9329-120b6c645b04}_OnDiskSnapshotPropFilesize
5KB
MD5bcdcf4622d1f9f825ec70585b6e0d78f
SHA1d3e041d2b5597e260aff7554590080c4d9e614b2
SHA2565dca71e2f8fbc2223cc5f53a9275c183ff7f34f9ddb37f86eda8820028373816
SHA512af70c2ba2efb5f7a2b1b85541413263279cfd57533f3004c8304530659d2d1e87923fbc02b7c5e6422881b87929b70dce07e99609e5fc2d2a36deb090ab21e2c
-
memory/428-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/428-142-0x0000000000000000-mapping.dmp
-
memory/440-133-0x0000000000000000-mapping.dmp
-
memory/2036-132-0x0000000000000000-mapping.dmp
-
memory/5016-136-0x0000000000000000-mapping.dmp
-
memory/5016-141-0x00007FFCAA180000-0x00007FFCAAC41000-memory.dmpFilesize
10.8MB
-
memory/5016-140-0x000002C2A9A90000-0x000002C2A9B00000-memory.dmpFilesize
448KB
-
memory/5016-148-0x00007FFCAA180000-0x00007FFCAAC41000-memory.dmpFilesize
10.8MB
-
memory/5016-139-0x000002C28FB00000-0x000002C28FB0A000-memory.dmpFilesize
40KB
-
memory/5016-138-0x000002C291550000-0x000002C29157E000-memory.dmpFilesize
184KB