Analysis
-
max time kernel
394s -
max time network
468s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 21:03
Static task
static1
Behavioral task
behavioral1
Sample
document_32_invoice#PDF.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
document_32_invoice#PDF.msi
Resource
win10v2004-20221111-en
General
-
Target
document_32_invoice#PDF.msi
-
Size
660KB
-
MD5
86eb208705e4763325a02c5a5e0192cf
-
SHA1
48619e828167158af93509a6b6b98178d6e1ae4b
-
SHA256
83d74fc76b2d4c149b60ba5681cfc01eac95a7bc41903e05a25945fdf63702eb
-
SHA512
7ce0225a026a610b8a61156b78e59ba85005a0fc872f5b9a9900e15d170cfb9347f80cdc818019c9e2029e93ae28473fea5ea67622281fc137ab20220d4749b6
-
SSDEEP
12288:QwHL0D7KkCPumy9chfA+te5O//4777777LwmqL2SBF3u:lHL06/zyt+85OXj6oF3u
Malware Config
Extracted
icedid
764376559
saintrefunda.com
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 3 268 rundll32.exe 4 268 rundll32.exe 5 268 rundll32.exe 6 268 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exerundll32.exepid process 1480 MsiExec.exe 1664 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 11 IoCs
Processes:
DrvInst.exemsiexec.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\6ff690.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF70D.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\6ff691.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\6ff691.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSICCF.tmp msiexec.exe File created C:\Windows\Installer\6ff693.msi msiexec.exe File created C:\Windows\Installer\6ff690.msi msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 1648 msiexec.exe 1648 msiexec.exe 268 rundll32.exe 268 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1612 msiexec.exe Token: SeIncreaseQuotaPrivilege 1612 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeSecurityPrivilege 1648 msiexec.exe Token: SeCreateTokenPrivilege 1612 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1612 msiexec.exe Token: SeLockMemoryPrivilege 1612 msiexec.exe Token: SeIncreaseQuotaPrivilege 1612 msiexec.exe Token: SeMachineAccountPrivilege 1612 msiexec.exe Token: SeTcbPrivilege 1612 msiexec.exe Token: SeSecurityPrivilege 1612 msiexec.exe Token: SeTakeOwnershipPrivilege 1612 msiexec.exe Token: SeLoadDriverPrivilege 1612 msiexec.exe Token: SeSystemProfilePrivilege 1612 msiexec.exe Token: SeSystemtimePrivilege 1612 msiexec.exe Token: SeProfSingleProcessPrivilege 1612 msiexec.exe Token: SeIncBasePriorityPrivilege 1612 msiexec.exe Token: SeCreatePagefilePrivilege 1612 msiexec.exe Token: SeCreatePermanentPrivilege 1612 msiexec.exe Token: SeBackupPrivilege 1612 msiexec.exe Token: SeRestorePrivilege 1612 msiexec.exe Token: SeShutdownPrivilege 1612 msiexec.exe Token: SeDebugPrivilege 1612 msiexec.exe Token: SeAuditPrivilege 1612 msiexec.exe Token: SeSystemEnvironmentPrivilege 1612 msiexec.exe Token: SeChangeNotifyPrivilege 1612 msiexec.exe Token: SeRemoteShutdownPrivilege 1612 msiexec.exe Token: SeUndockPrivilege 1612 msiexec.exe Token: SeSyncAgentPrivilege 1612 msiexec.exe Token: SeEnableDelegationPrivilege 1612 msiexec.exe Token: SeManageVolumePrivilege 1612 msiexec.exe Token: SeImpersonatePrivilege 1612 msiexec.exe Token: SeCreateGlobalPrivilege 1612 msiexec.exe Token: SeBackupPrivilege 280 vssvc.exe Token: SeRestorePrivilege 280 vssvc.exe Token: SeAuditPrivilege 280 vssvc.exe Token: SeBackupPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1996 DrvInst.exe Token: SeRestorePrivilege 1996 DrvInst.exe Token: SeRestorePrivilege 1996 DrvInst.exe Token: SeRestorePrivilege 1996 DrvInst.exe Token: SeRestorePrivilege 1996 DrvInst.exe Token: SeRestorePrivilege 1996 DrvInst.exe Token: SeRestorePrivilege 1996 DrvInst.exe Token: SeLoadDriverPrivilege 1996 DrvInst.exe Token: SeLoadDriverPrivilege 1996 DrvInst.exe Token: SeLoadDriverPrivilege 1996 DrvInst.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe Token: SeTakeOwnershipPrivilege 1648 msiexec.exe Token: SeRestorePrivilege 1648 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1612 msiexec.exe 1612 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid process target process PID 1648 wrote to memory of 1480 1648 msiexec.exe MsiExec.exe PID 1648 wrote to memory of 1480 1648 msiexec.exe MsiExec.exe PID 1648 wrote to memory of 1480 1648 msiexec.exe MsiExec.exe PID 1648 wrote to memory of 1480 1648 msiexec.exe MsiExec.exe PID 1648 wrote to memory of 1480 1648 msiexec.exe MsiExec.exe PID 1480 wrote to memory of 1664 1480 MsiExec.exe rundll32.exe PID 1480 wrote to memory of 1664 1480 MsiExec.exe rundll32.exe PID 1480 wrote to memory of 1664 1480 MsiExec.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\document_32_invoice#PDF.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding DC810EBA4E85DC8127A71BE9C224BB5F2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSIF70D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7337881 1 test.cs!Test.CustomActions.MyAction3⤵
- Loads dropped DLL
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp1E5.dll",init4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C8" "00000000000003CC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSIF70D.tmpFilesize
413KB
MD50692f230094a0e5e2e280b31e00e727c
SHA16b24b28584a451f1fb5abc77b46d7f479114cc02
SHA256c20f8c37683aa097a6452333901a21c9b58a4651d63ce251ab4b7afb03cb7f8e
SHA51279cbb9d5434f54a93c9c91e32411dc7d0fd7a311b8da83a02a2868758a40cdc027e102fe6f51b0dd4ee82e172a625655807affc9714a60beaca47ef4a236013d
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Windows\Installer\MSIF70D.tmpFilesize
413KB
MD50692f230094a0e5e2e280b31e00e727c
SHA16b24b28584a451f1fb5abc77b46d7f479114cc02
SHA256c20f8c37683aa097a6452333901a21c9b58a4651d63ce251ab4b7afb03cb7f8e
SHA51279cbb9d5434f54a93c9c91e32411dc7d0fd7a311b8da83a02a2868758a40cdc027e102fe6f51b0dd4ee82e172a625655807affc9714a60beaca47ef4a236013d
-
\Windows\Installer\MSIF70D.tmpFilesize
413KB
MD50692f230094a0e5e2e280b31e00e727c
SHA16b24b28584a451f1fb5abc77b46d7f479114cc02
SHA256c20f8c37683aa097a6452333901a21c9b58a4651d63ce251ab4b7afb03cb7f8e
SHA51279cbb9d5434f54a93c9c91e32411dc7d0fd7a311b8da83a02a2868758a40cdc027e102fe6f51b0dd4ee82e172a625655807affc9714a60beaca47ef4a236013d
-
memory/268-63-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/1480-57-0x0000000000000000-mapping.dmp
-
memory/1612-54-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmpFilesize
8KB
-
memory/1664-61-0x0000000000000000-mapping.dmp