Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2022 21:17
Static task
static1
Behavioral task
behavioral1
Sample
f677d2fffd8bce6f18a28b156c937e1e28a83bb2a29e2470e76d9314c2168678.msi
Resource
win7-20220812-en
General
-
Target
f677d2fffd8bce6f18a28b156c937e1e28a83bb2a29e2470e76d9314c2168678.msi
-
Size
720KB
-
MD5
123e08900a96c6f2f8edf6f7c8658436
-
SHA1
da2ab9ffa5011065e3caf4a6ee539790e514ab2f
-
SHA256
f677d2fffd8bce6f18a28b156c937e1e28a83bb2a29e2470e76d9314c2168678
-
SHA512
9c43da596de9b358798adb049e87c02ff13641d4b6f5449d1f9f94b50c798f45a30cc4ef7086102deb22027b4c6366b888981ac68c3d998685332c2b021ae9f8
-
SSDEEP
12288:mwHL0D7BkCPumy9chfA+tk8B0igC+/NHBQ1SdwS:PHL0R/zyt++8BtZKBmS+
Malware Config
Extracted
icedid
787509923
kamintrewftor.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 21 1872 rundll32.exe 71 1872 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 4604 MsiExec.exe 1948 rundll32.exe 1872 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File created C:\Windows\Installer\e572afa.msi msiexec.exe File created C:\Windows\Installer\e572af8.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI2C50.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2C50.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI2C50.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\e572af8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2C50.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI2C50.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI3365.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32.exemsiexec.exepid process 1872 rundll32.exe 1872 rundll32.exe 4716 msiexec.exe 4716 msiexec.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4648 msiexec.exe Token: SeIncreaseQuotaPrivilege 4648 msiexec.exe Token: SeSecurityPrivilege 4716 msiexec.exe Token: SeCreateTokenPrivilege 4648 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4648 msiexec.exe Token: SeLockMemoryPrivilege 4648 msiexec.exe Token: SeIncreaseQuotaPrivilege 4648 msiexec.exe Token: SeMachineAccountPrivilege 4648 msiexec.exe Token: SeTcbPrivilege 4648 msiexec.exe Token: SeSecurityPrivilege 4648 msiexec.exe Token: SeTakeOwnershipPrivilege 4648 msiexec.exe Token: SeLoadDriverPrivilege 4648 msiexec.exe Token: SeSystemProfilePrivilege 4648 msiexec.exe Token: SeSystemtimePrivilege 4648 msiexec.exe Token: SeProfSingleProcessPrivilege 4648 msiexec.exe Token: SeIncBasePriorityPrivilege 4648 msiexec.exe Token: SeCreatePagefilePrivilege 4648 msiexec.exe Token: SeCreatePermanentPrivilege 4648 msiexec.exe Token: SeBackupPrivilege 4648 msiexec.exe Token: SeRestorePrivilege 4648 msiexec.exe Token: SeShutdownPrivilege 4648 msiexec.exe Token: SeDebugPrivilege 4648 msiexec.exe Token: SeAuditPrivilege 4648 msiexec.exe Token: SeSystemEnvironmentPrivilege 4648 msiexec.exe Token: SeChangeNotifyPrivilege 4648 msiexec.exe Token: SeRemoteShutdownPrivilege 4648 msiexec.exe Token: SeUndockPrivilege 4648 msiexec.exe Token: SeSyncAgentPrivilege 4648 msiexec.exe Token: SeEnableDelegationPrivilege 4648 msiexec.exe Token: SeManageVolumePrivilege 4648 msiexec.exe Token: SeImpersonatePrivilege 4648 msiexec.exe Token: SeCreateGlobalPrivilege 4648 msiexec.exe Token: SeBackupPrivilege 4208 vssvc.exe Token: SeRestorePrivilege 4208 vssvc.exe Token: SeAuditPrivilege 4208 vssvc.exe Token: SeBackupPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe Token: SeTakeOwnershipPrivilege 4716 msiexec.exe Token: SeRestorePrivilege 4716 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4648 msiexec.exe 4648 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 4716 wrote to memory of 1580 4716 msiexec.exe srtasks.exe PID 4716 wrote to memory of 1580 4716 msiexec.exe srtasks.exe PID 4716 wrote to memory of 4604 4716 msiexec.exe MsiExec.exe PID 4716 wrote to memory of 4604 4716 msiexec.exe MsiExec.exe PID 4604 wrote to memory of 1948 4604 MsiExec.exe rundll32.exe PID 4604 wrote to memory of 1948 4604 MsiExec.exe rundll32.exe PID 1948 wrote to memory of 1872 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 1872 1948 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f677d2fffd8bce6f18a28b156c937e1e28a83bb2a29e2470e76d9314c2168678.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 8151345698451E24115F56C39B61E64E2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI2C50.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240594203 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp2F8C.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2F8C.dllFilesize
269KB
MD5c7ca67a72a6cad3fc366e6e172539859
SHA1fd1855605f49c59a0894f7a8b848303eb099f496
SHA256c705008b6656feabe462ebb2363d6a259581cea574872cb1c6c440dbd23ad4fa
SHA5125727151a1e2680fd482fa8a882ead4242c1f96b4119f0c7672fc7a5b5d2df8a226b15dc69f6ce0f7ccfe17510f21a0af4c23ecb000bda6f29252daf724c16fbd
-
C:\Users\Admin\AppData\Local\Temp\tmp2F8C.dllFilesize
269KB
MD5c7ca67a72a6cad3fc366e6e172539859
SHA1fd1855605f49c59a0894f7a8b848303eb099f496
SHA256c705008b6656feabe462ebb2363d6a259581cea574872cb1c6c440dbd23ad4fa
SHA5125727151a1e2680fd482fa8a882ead4242c1f96b4119f0c7672fc7a5b5d2df8a226b15dc69f6ce0f7ccfe17510f21a0af4c23ecb000bda6f29252daf724c16fbd
-
C:\Windows\Installer\MSI2C50.tmpFilesize
413KB
MD558764e57acbeec211e0dc2d07ca2fb3e
SHA1018b975e148ea657253a8dfd1f78fbf6d7de680b
SHA25613954d45b324ba4c5c4148cbd469289e62f783b0304aba398cf426a993a5a379
SHA51252a383131ae466a4ddf72801e7c6832c6508a5caa54f67ef4c09d3658a175a0a85c2d5609ead9c418779b4c14dd7bac5cde8557415d52bed3d22204d12ab07af
-
C:\Windows\Installer\MSI2C50.tmpFilesize
413KB
MD558764e57acbeec211e0dc2d07ca2fb3e
SHA1018b975e148ea657253a8dfd1f78fbf6d7de680b
SHA25613954d45b324ba4c5c4148cbd469289e62f783b0304aba398cf426a993a5a379
SHA51252a383131ae466a4ddf72801e7c6832c6508a5caa54f67ef4c09d3658a175a0a85c2d5609ead9c418779b4c14dd7bac5cde8557415d52bed3d22204d12ab07af
-
C:\Windows\Installer\MSI2C50.tmpFilesize
413KB
MD558764e57acbeec211e0dc2d07ca2fb3e
SHA1018b975e148ea657253a8dfd1f78fbf6d7de680b
SHA25613954d45b324ba4c5c4148cbd469289e62f783b0304aba398cf426a993a5a379
SHA51252a383131ae466a4ddf72801e7c6832c6508a5caa54f67ef4c09d3658a175a0a85c2d5609ead9c418779b4c14dd7bac5cde8557415d52bed3d22204d12ab07af
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD567ea86fb6b950faf156f1ad9f9d30c87
SHA1b49ed0e0142430b4c241d40c1feb58913ffc2319
SHA256fe9257ad25657541567aeb42c595f00f7d37ca3da871f3d0955351f07e1a3ccb
SHA512a2a6758356af4ef552c0601488bc6055f1a404ac6b3750ddf45cfdd8e6b3d1d31335aa6d1f8cb9a2db0ab23b6914c01b44f5b6597d35c20557d8316c38e5a78a
-
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f083348a-6b00-4437-92b8-435b93af2d4c}_OnDiskSnapshotPropFilesize
5KB
MD54e8850eea41c28c8c8f5741ae48278af
SHA1d88cb3ee06a7953f47b6947c1615271a98d729a7
SHA256505d01e171a1669b1ed0a18ecade0e0625defc5ef34eb32913152858839f05c1
SHA5128694103d441a4874c5d5e9b78326706acf8089243a026c1588a4f233fc2f5a5933dd72b2d9e93250e8b268f57c8065f0af36d12d910764602396a2f7a48e57fe
-
memory/1580-132-0x0000000000000000-mapping.dmp
-
memory/1872-144-0x0000022202E10000-0x0000022202E19000-memory.dmpFilesize
36KB
-
memory/1872-141-0x0000000000000000-mapping.dmp
-
memory/1948-140-0x00000239DD620000-0x00000239DD690000-memory.dmpFilesize
448KB
-
memory/1948-139-0x00000239C4ED0000-0x00000239C4EDA000-memory.dmpFilesize
40KB
-
memory/1948-145-0x00007FF963960000-0x00007FF964421000-memory.dmpFilesize
10.8MB
-
memory/1948-138-0x00000239C4EE0000-0x00000239C4F0E000-memory.dmpFilesize
184KB
-
memory/1948-136-0x0000000000000000-mapping.dmp
-
memory/1948-153-0x00007FF963960000-0x00007FF964421000-memory.dmpFilesize
10.8MB
-
memory/4604-133-0x0000000000000000-mapping.dmp