Analysis
-
max time kernel
168s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2022 00:02
Static task
static1
Behavioral task
behavioral1
Sample
de81ef356acc2e199252f8fe2a894c36c6e327d5efd3abaaa7df477f3942e33b.msi
Resource
win7-20220812-en
General
-
Target
de81ef356acc2e199252f8fe2a894c36c6e327d5efd3abaaa7df477f3942e33b.msi
-
Size
720KB
-
MD5
67d8f0f4203f74c7dc9c3ea8a00ab6b8
-
SHA1
ca6fd6caed882f183bc25963c4ea7f11923d7680
-
SHA256
de81ef356acc2e199252f8fe2a894c36c6e327d5efd3abaaa7df477f3942e33b
-
SHA512
3b71d35bd608d6f1b970faeb641b9347dd48f686295b18ffac96f121c227c203527892ef298705687a9084bd2aca2171b23d52316c337891a63ef00e85c1b366
-
SSDEEP
12288:QwHL0D7lkCPumy9chfA+tl8B0igC+/NHBh1SMHs:lHL01/zyt+b8BtZKBzSE
Malware Config
Extracted
icedid
787509923
kamintrewftor.com
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 51 4824 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 1040 MsiExec.exe 1524 rundll32.exe 4824 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Installer\e585678.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI5704.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI5704.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI5704.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSI5EC6.tmp msiexec.exe File created C:\Windows\Installer\e58567a.msi msiexec.exe File created C:\Windows\Installer\e585678.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5704.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5704.tmp-\CustomAction.config rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32.exemsiexec.exepid process 4824 rundll32.exe 4824 rundll32.exe 4824 rundll32.exe 4824 rundll32.exe 684 msiexec.exe 684 msiexec.exe 4824 rundll32.exe 4824 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 3048 msiexec.exe Token: SeIncreaseQuotaPrivilege 3048 msiexec.exe Token: SeSecurityPrivilege 684 msiexec.exe Token: SeCreateTokenPrivilege 3048 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3048 msiexec.exe Token: SeLockMemoryPrivilege 3048 msiexec.exe Token: SeIncreaseQuotaPrivilege 3048 msiexec.exe Token: SeMachineAccountPrivilege 3048 msiexec.exe Token: SeTcbPrivilege 3048 msiexec.exe Token: SeSecurityPrivilege 3048 msiexec.exe Token: SeTakeOwnershipPrivilege 3048 msiexec.exe Token: SeLoadDriverPrivilege 3048 msiexec.exe Token: SeSystemProfilePrivilege 3048 msiexec.exe Token: SeSystemtimePrivilege 3048 msiexec.exe Token: SeProfSingleProcessPrivilege 3048 msiexec.exe Token: SeIncBasePriorityPrivilege 3048 msiexec.exe Token: SeCreatePagefilePrivilege 3048 msiexec.exe Token: SeCreatePermanentPrivilege 3048 msiexec.exe Token: SeBackupPrivilege 3048 msiexec.exe Token: SeRestorePrivilege 3048 msiexec.exe Token: SeShutdownPrivilege 3048 msiexec.exe Token: SeDebugPrivilege 3048 msiexec.exe Token: SeAuditPrivilege 3048 msiexec.exe Token: SeSystemEnvironmentPrivilege 3048 msiexec.exe Token: SeChangeNotifyPrivilege 3048 msiexec.exe Token: SeRemoteShutdownPrivilege 3048 msiexec.exe Token: SeUndockPrivilege 3048 msiexec.exe Token: SeSyncAgentPrivilege 3048 msiexec.exe Token: SeEnableDelegationPrivilege 3048 msiexec.exe Token: SeManageVolumePrivilege 3048 msiexec.exe Token: SeImpersonatePrivilege 3048 msiexec.exe Token: SeCreateGlobalPrivilege 3048 msiexec.exe Token: SeBackupPrivilege 4568 vssvc.exe Token: SeRestorePrivilege 4568 vssvc.exe Token: SeAuditPrivilege 4568 vssvc.exe Token: SeBackupPrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe Token: SeTakeOwnershipPrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe Token: SeTakeOwnershipPrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe Token: SeTakeOwnershipPrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe Token: SeTakeOwnershipPrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe Token: SeTakeOwnershipPrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe Token: SeTakeOwnershipPrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe Token: SeTakeOwnershipPrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe Token: SeTakeOwnershipPrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe Token: SeTakeOwnershipPrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe Token: SeTakeOwnershipPrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe Token: SeTakeOwnershipPrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe Token: SeTakeOwnershipPrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe Token: SeTakeOwnershipPrivilege 684 msiexec.exe Token: SeRestorePrivilege 684 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 3048 msiexec.exe 3048 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 684 wrote to memory of 2024 684 msiexec.exe srtasks.exe PID 684 wrote to memory of 2024 684 msiexec.exe srtasks.exe PID 684 wrote to memory of 1040 684 msiexec.exe MsiExec.exe PID 684 wrote to memory of 1040 684 msiexec.exe MsiExec.exe PID 1040 wrote to memory of 1524 1040 MsiExec.exe rundll32.exe PID 1040 wrote to memory of 1524 1040 MsiExec.exe rundll32.exe PID 1524 wrote to memory of 4824 1524 rundll32.exe rundll32.exe PID 1524 wrote to memory of 4824 1524 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\de81ef356acc2e199252f8fe2a894c36c6e327d5efd3abaaa7df477f3942e33b.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 9FFB8B7C837094EA0C7CD8659CEA648F2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI5704.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240670640 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp5A12.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5A12.dllFilesize
269KB
MD5fe23c1657eccf74fc9e485ded167f630
SHA1f707f77dfb0f3f23da5e4dce506b4558208055ad
SHA256afe2b43e94e5d692cef60520a7f7b144cedb1d91fe9b4ad49aa50a3a123c326a
SHA512831324000bde8ca56652465e1ed33ea812369513e930a694a96f82b45b9f7e4aac8a21f5f6206da9dc75b4e38f4cc09f9d9cf71ad15c7ced0e44d7771a705a89
-
C:\Users\Admin\AppData\Local\Temp\tmp5A12.dllFilesize
269KB
MD5fe23c1657eccf74fc9e485ded167f630
SHA1f707f77dfb0f3f23da5e4dce506b4558208055ad
SHA256afe2b43e94e5d692cef60520a7f7b144cedb1d91fe9b4ad49aa50a3a123c326a
SHA512831324000bde8ca56652465e1ed33ea812369513e930a694a96f82b45b9f7e4aac8a21f5f6206da9dc75b4e38f4cc09f9d9cf71ad15c7ced0e44d7771a705a89
-
C:\Windows\Installer\MSI5704.tmpFilesize
413KB
MD5b5a9278e30c10a94be5d8c7242eb1542
SHA10b9551bd0f7abc9c0a21014e73c4b5800420aee6
SHA256e1bd934ca2a5b3cfc16f71758ffb0a00ec026eead4693409fa3a3af470935aff
SHA5120f5e9a429c20b9eb089ab928022ea1dc3a45c3ac5b381274c33ff02c9f45bcca05d428db8221928e312540bc064afa7616d21f78ea050af41d2829c8c061161c
-
C:\Windows\Installer\MSI5704.tmpFilesize
413KB
MD5b5a9278e30c10a94be5d8c7242eb1542
SHA10b9551bd0f7abc9c0a21014e73c4b5800420aee6
SHA256e1bd934ca2a5b3cfc16f71758ffb0a00ec026eead4693409fa3a3af470935aff
SHA5120f5e9a429c20b9eb089ab928022ea1dc3a45c3ac5b381274c33ff02c9f45bcca05d428db8221928e312540bc064afa7616d21f78ea050af41d2829c8c061161c
-
C:\Windows\Installer\MSI5704.tmpFilesize
413KB
MD5b5a9278e30c10a94be5d8c7242eb1542
SHA10b9551bd0f7abc9c0a21014e73c4b5800420aee6
SHA256e1bd934ca2a5b3cfc16f71758ffb0a00ec026eead4693409fa3a3af470935aff
SHA5120f5e9a429c20b9eb089ab928022ea1dc3a45c3ac5b381274c33ff02c9f45bcca05d428db8221928e312540bc064afa7616d21f78ea050af41d2829c8c061161c
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD559e202d95c4fc61729261105261036a0
SHA1a359667783dbdd510d013cdfc4c30d65c5b86602
SHA2567e480b8fe067607391fe5f4ccabf20b95f1e28e3a23efc40ab82b7a9ef27bd4e
SHA51255bfd41dd2793c5a22cc8edd4b1189c252278b6214ede032986fd20024cb97d8f3f8541253d3f68df54004f6675a5a81c4318f8ccedcac1c847bc1246808f7a5
-
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{843cd9f0-2c6f-4e1e-9c1b-9dcde553683c}_OnDiskSnapshotPropFilesize
5KB
MD51f7ed7e8ff6e10f8b89d9d3192647bb7
SHA18b901547ab1a91d851d4584357f691d0f59ce2da
SHA256954a45f888db0d92f194de31a6345c3e9b14489cc976efbb024538f17ad7accf
SHA512010832fa90af0f5d299809196c6de739c08498c03cb09f7cf1862b1e54fe54a14bca3d5d80b230bd99ca55f3ca17e9202be54c70721d111175e2be9cfeaaf34a
-
memory/1040-133-0x0000000000000000-mapping.dmp
-
memory/1524-140-0x00000248E2920000-0x00000248E2990000-memory.dmpFilesize
448KB
-
memory/1524-139-0x00000248E0DE0000-0x00000248E0DEA000-memory.dmpFilesize
40KB
-
memory/1524-147-0x00007FFBDB3D0000-0x00007FFBDBE91000-memory.dmpFilesize
10.8MB
-
memory/1524-138-0x00000248E2720000-0x00000248E274E000-memory.dmpFilesize
184KB
-
memory/1524-136-0x0000000000000000-mapping.dmp
-
memory/1524-153-0x00007FFBDB3D0000-0x00007FFBDBE91000-memory.dmpFilesize
10.8MB
-
memory/2024-132-0x0000000000000000-mapping.dmp
-
memory/4824-141-0x0000000000000000-mapping.dmp
-
memory/4824-144-0x000001FD62F70000-0x000001FD62F79000-memory.dmpFilesize
36KB