Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2022 07:13
Static task
static1
Behavioral task
behavioral1
Sample
document_157_invoice#PDF.msi
Resource
win7-20220812-en
General
-
Target
document_157_invoice#PDF.msi
-
Size
660KB
-
MD5
c00b5441e87185716ce13e82dafabbf7
-
SHA1
40bdbd060266d60a325f1d83cad95ff8d0608af9
-
SHA256
979c1e609c8fb00a69412d69c50a8456fa9e9658ed1f8d538301a3d6e0ced032
-
SHA512
6e49a1452702a4f90fc6d431d2baabf0a41c7bc5caaffcdb5b799bbe157c13352c2a258647a53318407549b1eaa5d40a6a64f8886979911ae58a062a3e0d92b0
-
SSDEEP
12288:xwHL0D7HkCPumy9chfA+tL5O//Y777777LwmqLpSLF3u:uHL03/zyt+B5OXDV2F3u
Malware Config
Extracted
icedid
764376559
saintrefunda.com
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 40 1040 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 2584 MsiExec.exe 2936 rundll32.exe 1040 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Installer\e589ac4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9B31.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSIA4E7.tmp msiexec.exe File created C:\Windows\Installer\e589ac4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9B31.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9B31.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI9B31.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI9B31.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\e589ac6.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
msiexec.exerundll32.exepid process 4920 msiexec.exe 4920 msiexec.exe 4920 msiexec.exe 1040 rundll32.exe 1040 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4588 msiexec.exe Token: SeIncreaseQuotaPrivilege 4588 msiexec.exe Token: SeSecurityPrivilege 4920 msiexec.exe Token: SeCreateTokenPrivilege 4588 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4588 msiexec.exe Token: SeLockMemoryPrivilege 4588 msiexec.exe Token: SeIncreaseQuotaPrivilege 4588 msiexec.exe Token: SeMachineAccountPrivilege 4588 msiexec.exe Token: SeTcbPrivilege 4588 msiexec.exe Token: SeSecurityPrivilege 4588 msiexec.exe Token: SeTakeOwnershipPrivilege 4588 msiexec.exe Token: SeLoadDriverPrivilege 4588 msiexec.exe Token: SeSystemProfilePrivilege 4588 msiexec.exe Token: SeSystemtimePrivilege 4588 msiexec.exe Token: SeProfSingleProcessPrivilege 4588 msiexec.exe Token: SeIncBasePriorityPrivilege 4588 msiexec.exe Token: SeCreatePagefilePrivilege 4588 msiexec.exe Token: SeCreatePermanentPrivilege 4588 msiexec.exe Token: SeBackupPrivilege 4588 msiexec.exe Token: SeRestorePrivilege 4588 msiexec.exe Token: SeShutdownPrivilege 4588 msiexec.exe Token: SeDebugPrivilege 4588 msiexec.exe Token: SeAuditPrivilege 4588 msiexec.exe Token: SeSystemEnvironmentPrivilege 4588 msiexec.exe Token: SeChangeNotifyPrivilege 4588 msiexec.exe Token: SeRemoteShutdownPrivilege 4588 msiexec.exe Token: SeUndockPrivilege 4588 msiexec.exe Token: SeSyncAgentPrivilege 4588 msiexec.exe Token: SeEnableDelegationPrivilege 4588 msiexec.exe Token: SeManageVolumePrivilege 4588 msiexec.exe Token: SeImpersonatePrivilege 4588 msiexec.exe Token: SeCreateGlobalPrivilege 4588 msiexec.exe Token: SeBackupPrivilege 4528 vssvc.exe Token: SeRestorePrivilege 4528 vssvc.exe Token: SeAuditPrivilege 4528 vssvc.exe Token: SeBackupPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe Token: SeTakeOwnershipPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe Token: SeTakeOwnershipPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe Token: SeTakeOwnershipPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe Token: SeTakeOwnershipPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe Token: SeTakeOwnershipPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe Token: SeTakeOwnershipPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe Token: SeTakeOwnershipPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe Token: SeTakeOwnershipPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe Token: SeTakeOwnershipPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe Token: SeTakeOwnershipPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe Token: SeTakeOwnershipPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe Token: SeTakeOwnershipPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe Token: SeTakeOwnershipPrivilege 4920 msiexec.exe Token: SeRestorePrivilege 4920 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4588 msiexec.exe 4588 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 4920 wrote to memory of 4736 4920 msiexec.exe srtasks.exe PID 4920 wrote to memory of 4736 4920 msiexec.exe srtasks.exe PID 4920 wrote to memory of 2584 4920 msiexec.exe MsiExec.exe PID 4920 wrote to memory of 2584 4920 msiexec.exe MsiExec.exe PID 2584 wrote to memory of 2936 2584 MsiExec.exe rundll32.exe PID 2584 wrote to memory of 2936 2584 MsiExec.exe rundll32.exe PID 2936 wrote to memory of 1040 2936 rundll32.exe rundll32.exe PID 2936 wrote to memory of 1040 2936 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\document_157_invoice#PDF.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 34D396E01956D786EA24843A66B5941B2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI9B31.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240688093 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp9E5E.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9E5E.dllFilesize
209KB
MD55cb757d0aed9740075cbd4e381f5432a
SHA15134ea14539d68615e82e8cab6fecee521068d1e
SHA256d2061db77dd5377d5e9006ef166196ef1b6604f670d9f695a6c4f265fda9d2b6
SHA512695d1613ac3d68e8ee9802ea1869af9592223272c4167422cb527b1ee3ad0e92a5cfa87609146e49210cfb1195d843f32c9506e13c355e7a71eb59e1ec38e40e
-
C:\Users\Admin\AppData\Local\Temp\tmp9E5E.dllFilesize
209KB
MD55cb757d0aed9740075cbd4e381f5432a
SHA15134ea14539d68615e82e8cab6fecee521068d1e
SHA256d2061db77dd5377d5e9006ef166196ef1b6604f670d9f695a6c4f265fda9d2b6
SHA512695d1613ac3d68e8ee9802ea1869af9592223272c4167422cb527b1ee3ad0e92a5cfa87609146e49210cfb1195d843f32c9506e13c355e7a71eb59e1ec38e40e
-
C:\Windows\Installer\MSI9B31.tmpFilesize
413KB
MD573f4256925d931f7e18e045b5c94fa8e
SHA1b50352241abc5fb8f79b305fa18b7da5f8992868
SHA256b58f861ba94c6d118c0f28d9494fe0233657e1150595ad9d220beb92af6f4cc8
SHA5128120a439d7882f7d4ee49d3b81667b21a09ef2b345f4025f48426d90b103d55c9b9bc64258a98417d8e86f5984ceffb316557e46e8927a05c814d296a9560496
-
C:\Windows\Installer\MSI9B31.tmpFilesize
413KB
MD573f4256925d931f7e18e045b5c94fa8e
SHA1b50352241abc5fb8f79b305fa18b7da5f8992868
SHA256b58f861ba94c6d118c0f28d9494fe0233657e1150595ad9d220beb92af6f4cc8
SHA5128120a439d7882f7d4ee49d3b81667b21a09ef2b345f4025f48426d90b103d55c9b9bc64258a98417d8e86f5984ceffb316557e46e8927a05c814d296a9560496
-
C:\Windows\Installer\MSI9B31.tmpFilesize
413KB
MD573f4256925d931f7e18e045b5c94fa8e
SHA1b50352241abc5fb8f79b305fa18b7da5f8992868
SHA256b58f861ba94c6d118c0f28d9494fe0233657e1150595ad9d220beb92af6f4cc8
SHA5128120a439d7882f7d4ee49d3b81667b21a09ef2b345f4025f48426d90b103d55c9b9bc64258a98417d8e86f5984ceffb316557e46e8927a05c814d296a9560496
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5d454922ce19f39c8f396992c109ef4ed
SHA1483103ebef036622e0bb0d269ba34e69469cb571
SHA256f7a79936e22145b765b8bf0db1a7a421438946d8366f19af052db8c6a51e0d83
SHA512ba1576973369bc102827384e1c5012e92e840718366e95b75ff78993e65c3e031fab197ec0248c8f59b74140ac797fa4606bd73ce2b722d363c271371f2e18d4
-
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b56a6cc7-2292-4360-9e91-f04f58770429}_OnDiskSnapshotPropFilesize
5KB
MD550d761a5af5bb7f84431ff5cf844bb60
SHA188cacb458e322a90904251758b1aa64bc5acb880
SHA2569b17c6b16d4774f9b1138c9c88beb4e6f0b50cf00bc3c12d6a263225ac42c4ed
SHA5126060b077e90da080218f10da4ac20e50e3d5954f9926322cbe3216c322685c86653b3481450644fda1b6919b7627c7a2ce3ab75a9f9694f81767ab1acb03ff4e
-
memory/1040-142-0x0000000000000000-mapping.dmp
-
memory/1040-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/2584-133-0x0000000000000000-mapping.dmp
-
memory/2936-136-0x0000000000000000-mapping.dmp
-
memory/2936-141-0x00007FFA6E220000-0x00007FFA6ECE1000-memory.dmpFilesize
10.8MB
-
memory/2936-140-0x000001957FFC0000-0x0000019580030000-memory.dmpFilesize
448KB
-
memory/2936-146-0x00007FFA6E220000-0x00007FFA6ECE1000-memory.dmpFilesize
10.8MB
-
memory/2936-139-0x000001957FEE0000-0x000001957FEEA000-memory.dmpFilesize
40KB
-
memory/2936-138-0x000001957FF10000-0x000001957FF3E000-memory.dmpFilesize
184KB
-
memory/4736-132-0x0000000000000000-mapping.dmp