Overview

overview

10

Static

static

Document_0...DF.msi

windows7-x64

10

Document_0...DF.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    110s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2022 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document_07-12-2022_20-09-12_PDF.msi

  • Size

    1.2MB

  • MD5

    8b0c350a9acf409690db50979fa8628e

  • SHA1

    fa2bc04d301093a448d78560f86ad9b60930027d

  • SHA256

    99dfb7baafec050861e152a036af86fc0c7663f3c719d58a56dfd9f06f4b8cef

  • SHA512

    01a685fb5a461261baaa15188565ca816712fe3b86a9776cc3b0941c4031a59b324d647446f88e0485d1b5ae60214bb35798341b24cc486fdc758cfec89d5bfc

  • SSDEEP

    24576:wHL0tNrx5zH8h2q1ioC7ZTVVT+XirpTs7sx0QBnoNjla+idlpdIFyF3N0:wr0tNrxeB1BG/F+uTsAx0tlpidvdkyFC

Score
10/10
icedid1234857371bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

1234857371

C2

ewgahskoot.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Document_07-12-2022_20-09-12_PDF.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1128
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 8685A852AD8112D029BB566EE9C13905
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\system32\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI931C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7115970 1 test.cs!Test.CustomActions.MyAction
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\System32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp9A9B.dll",init
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:1752
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1240
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000059C" "0000000000000574"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9A9B.dll
    Filesize

    821KB

    MD5

    78bb5b0c9f7e2d5cabf36deee8941d80

    SHA1

    c988e68e09364ffbfaafc5036ae98b91144b3aa2

    SHA256

    b99aba08a984359703f765f57ea9714232baf2397d774cd8ed81258c1c4896fc

    SHA512

    5c7e22342a35f963576cdf3a5129a57af7526d2d61ba7fdec6c96014790168f540c810e43180a7f19f3ee86b5bb3c044d972d9783606db1d07b83c1dbfa34c7b

    Download Submit
  • C:\Windows\Installer\MSI931C.tmp
    Filesize

    413KB

    MD5

    c3b8eb5198620adf3d33b703c40bcfa1

    SHA1

    acc7e2cbcff2746762f793360b34d7aabcec116a

    SHA256

    bedda762c46f1c6908223c34d24039ebffae88f8c6c87873065e112a530c208e

    SHA512

    2255164ba7a4b4b9c6a50868344175e3b4f5a8906ad29ee1cb19e1147427b1175c49ab1b158c772c11b7c77a846cf603cceea8148559f0acb285da4fb14418fd

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmp9A9B.dll
    Filesize

    821KB

    MD5

    78bb5b0c9f7e2d5cabf36deee8941d80

    SHA1

    c988e68e09364ffbfaafc5036ae98b91144b3aa2

    SHA256

    b99aba08a984359703f765f57ea9714232baf2397d774cd8ed81258c1c4896fc

    SHA512

    5c7e22342a35f963576cdf3a5129a57af7526d2d61ba7fdec6c96014790168f540c810e43180a7f19f3ee86b5bb3c044d972d9783606db1d07b83c1dbfa34c7b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmp9A9B.dll
    Filesize

    821KB

    MD5

    78bb5b0c9f7e2d5cabf36deee8941d80

    SHA1

    c988e68e09364ffbfaafc5036ae98b91144b3aa2

    SHA256

    b99aba08a984359703f765f57ea9714232baf2397d774cd8ed81258c1c4896fc

    SHA512

    5c7e22342a35f963576cdf3a5129a57af7526d2d61ba7fdec6c96014790168f540c810e43180a7f19f3ee86b5bb3c044d972d9783606db1d07b83c1dbfa34c7b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmp9A9B.dll
    Filesize

    821KB

    MD5

    78bb5b0c9f7e2d5cabf36deee8941d80

    SHA1

    c988e68e09364ffbfaafc5036ae98b91144b3aa2

    SHA256

    b99aba08a984359703f765f57ea9714232baf2397d774cd8ed81258c1c4896fc

    SHA512

    5c7e22342a35f963576cdf3a5129a57af7526d2d61ba7fdec6c96014790168f540c810e43180a7f19f3ee86b5bb3c044d972d9783606db1d07b83c1dbfa34c7b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmp9A9B.dll
    Filesize

    821KB

    MD5

    78bb5b0c9f7e2d5cabf36deee8941d80

    SHA1

    c988e68e09364ffbfaafc5036ae98b91144b3aa2

    SHA256

    b99aba08a984359703f765f57ea9714232baf2397d774cd8ed81258c1c4896fc

    SHA512

    5c7e22342a35f963576cdf3a5129a57af7526d2d61ba7fdec6c96014790168f540c810e43180a7f19f3ee86b5bb3c044d972d9783606db1d07b83c1dbfa34c7b

    Download Submit
  • \Windows\Installer\MSI931C.tmp
    Filesize

    413KB

    MD5

    c3b8eb5198620adf3d33b703c40bcfa1

    SHA1

    acc7e2cbcff2746762f793360b34d7aabcec116a

    SHA256

    bedda762c46f1c6908223c34d24039ebffae88f8c6c87873065e112a530c208e

    SHA512

    2255164ba7a4b4b9c6a50868344175e3b4f5a8906ad29ee1cb19e1147427b1175c49ab1b158c772c11b7c77a846cf603cceea8148559f0acb285da4fb14418fd

    Download Submit
  • \Windows\Installer\MSI931C.tmp
    Filesize

    413KB

    MD5

    c3b8eb5198620adf3d33b703c40bcfa1

    SHA1

    acc7e2cbcff2746762f793360b34d7aabcec116a

    SHA256

    bedda762c46f1c6908223c34d24039ebffae88f8c6c87873065e112a530c208e

    SHA512

    2255164ba7a4b4b9c6a50868344175e3b4f5a8906ad29ee1cb19e1147427b1175c49ab1b158c772c11b7c77a846cf603cceea8148559f0acb285da4fb14418fd

    Download Submit
  • memory/1128-54-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1528-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1624-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1624-64-0x0000000001EA0000-0x0000000001F10000-memory.dmp
    Filesize

    448KB

    Download
  • memory/1624-63-0x00000000001D0000-0x00000000001DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1624-62-0x0000000000180000-0x00000000001AE000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1752-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1752-72-0x0000000180000000-0x0000000180009000-memory.dmp
    Filesize

    36KB

    Download