Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2022 18:33
Static task
static1
Behavioral task
behavioral1
Sample
Document_07-12-2022_20-09-12_PDF.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Document_07-12-2022_20-09-12_PDF.msi
Resource
win10v2004-20220901-en
General
-
Target
Document_07-12-2022_20-09-12_PDF.msi
-
Size
1.2MB
-
MD5
8b0c350a9acf409690db50979fa8628e
-
SHA1
fa2bc04d301093a448d78560f86ad9b60930027d
-
SHA256
99dfb7baafec050861e152a036af86fc0c7663f3c719d58a56dfd9f06f4b8cef
-
SHA512
01a685fb5a461261baaa15188565ca816712fe3b86a9776cc3b0941c4031a59b324d647446f88e0485d1b5ae60214bb35798341b24cc486fdc758cfec89d5bfc
-
SSDEEP
24576:wHL0tNrx5zH8h2q1ioC7ZTVVT+XirpTs7sx0QBnoNjla+idlpdIFyF3N0:wr0tNrxeB1BG/F+uTsAx0tlpidvdkyFC
Malware Config
Extracted
icedid
1234857371
ewgahskoot.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 29 388 rundll32.exe 47 388 rundll32.exe 48 388 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 548 MsiExec.exe 804 rundll32.exe 388 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Installer\MSI1712.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1712.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI1712.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\e571647.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI1712.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI1712.tmp-\WixSharp.dll rundll32.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSI251D.tmp msiexec.exe File created C:\Windows\Installer\e571649.msi msiexec.exe File created C:\Windows\Installer\e571647.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000045e03923b2b2bc3e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000045e039230000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090045e03923000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 1208 msiexec.exe 1208 msiexec.exe 388 rundll32.exe 388 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 476 msiexec.exe Token: SeIncreaseQuotaPrivilege 476 msiexec.exe Token: SeSecurityPrivilege 1208 msiexec.exe Token: SeCreateTokenPrivilege 476 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 476 msiexec.exe Token: SeLockMemoryPrivilege 476 msiexec.exe Token: SeIncreaseQuotaPrivilege 476 msiexec.exe Token: SeMachineAccountPrivilege 476 msiexec.exe Token: SeTcbPrivilege 476 msiexec.exe Token: SeSecurityPrivilege 476 msiexec.exe Token: SeTakeOwnershipPrivilege 476 msiexec.exe Token: SeLoadDriverPrivilege 476 msiexec.exe Token: SeSystemProfilePrivilege 476 msiexec.exe Token: SeSystemtimePrivilege 476 msiexec.exe Token: SeProfSingleProcessPrivilege 476 msiexec.exe Token: SeIncBasePriorityPrivilege 476 msiexec.exe Token: SeCreatePagefilePrivilege 476 msiexec.exe Token: SeCreatePermanentPrivilege 476 msiexec.exe Token: SeBackupPrivilege 476 msiexec.exe Token: SeRestorePrivilege 476 msiexec.exe Token: SeShutdownPrivilege 476 msiexec.exe Token: SeDebugPrivilege 476 msiexec.exe Token: SeAuditPrivilege 476 msiexec.exe Token: SeSystemEnvironmentPrivilege 476 msiexec.exe Token: SeChangeNotifyPrivilege 476 msiexec.exe Token: SeRemoteShutdownPrivilege 476 msiexec.exe Token: SeUndockPrivilege 476 msiexec.exe Token: SeSyncAgentPrivilege 476 msiexec.exe Token: SeEnableDelegationPrivilege 476 msiexec.exe Token: SeManageVolumePrivilege 476 msiexec.exe Token: SeImpersonatePrivilege 476 msiexec.exe Token: SeCreateGlobalPrivilege 476 msiexec.exe Token: SeBackupPrivilege 2840 vssvc.exe Token: SeRestorePrivilege 2840 vssvc.exe Token: SeAuditPrivilege 2840 vssvc.exe Token: SeBackupPrivilege 1208 msiexec.exe Token: SeRestorePrivilege 1208 msiexec.exe Token: SeRestorePrivilege 1208 msiexec.exe Token: SeTakeOwnershipPrivilege 1208 msiexec.exe Token: SeRestorePrivilege 1208 msiexec.exe Token: SeTakeOwnershipPrivilege 1208 msiexec.exe Token: SeRestorePrivilege 1208 msiexec.exe Token: SeTakeOwnershipPrivilege 1208 msiexec.exe Token: SeRestorePrivilege 1208 msiexec.exe Token: SeTakeOwnershipPrivilege 1208 msiexec.exe Token: SeRestorePrivilege 1208 msiexec.exe Token: SeTakeOwnershipPrivilege 1208 msiexec.exe Token: SeRestorePrivilege 1208 msiexec.exe Token: SeTakeOwnershipPrivilege 1208 msiexec.exe Token: SeRestorePrivilege 1208 msiexec.exe Token: SeTakeOwnershipPrivilege 1208 msiexec.exe Token: SeRestorePrivilege 1208 msiexec.exe Token: SeTakeOwnershipPrivilege 1208 msiexec.exe Token: SeRestorePrivilege 1208 msiexec.exe Token: SeTakeOwnershipPrivilege 1208 msiexec.exe Token: SeRestorePrivilege 1208 msiexec.exe Token: SeTakeOwnershipPrivilege 1208 msiexec.exe Token: SeRestorePrivilege 1208 msiexec.exe Token: SeTakeOwnershipPrivilege 1208 msiexec.exe Token: SeRestorePrivilege 1208 msiexec.exe Token: SeTakeOwnershipPrivilege 1208 msiexec.exe Token: SeRestorePrivilege 1208 msiexec.exe Token: SeTakeOwnershipPrivilege 1208 msiexec.exe Token: SeRestorePrivilege 1208 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 476 msiexec.exe 476 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 1208 wrote to memory of 4812 1208 msiexec.exe srtasks.exe PID 1208 wrote to memory of 4812 1208 msiexec.exe srtasks.exe PID 1208 wrote to memory of 548 1208 msiexec.exe MsiExec.exe PID 1208 wrote to memory of 548 1208 msiexec.exe MsiExec.exe PID 548 wrote to memory of 804 548 MsiExec.exe rundll32.exe PID 548 wrote to memory of 804 548 MsiExec.exe rundll32.exe PID 804 wrote to memory of 388 804 rundll32.exe rundll32.exe PID 804 wrote to memory of 388 804 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Document_07-12-2022_20-09-12_PDF.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding A53ECD0631F0753E423B8D4A310A811D2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI1712.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240588750 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp1DAA.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1DAA.dllFilesize
821KB
MD578bb5b0c9f7e2d5cabf36deee8941d80
SHA1c988e68e09364ffbfaafc5036ae98b91144b3aa2
SHA256b99aba08a984359703f765f57ea9714232baf2397d774cd8ed81258c1c4896fc
SHA5125c7e22342a35f963576cdf3a5129a57af7526d2d61ba7fdec6c96014790168f540c810e43180a7f19f3ee86b5bb3c044d972d9783606db1d07b83c1dbfa34c7b
-
C:\Users\Admin\AppData\Local\Temp\tmp1DAA.dllFilesize
821KB
MD578bb5b0c9f7e2d5cabf36deee8941d80
SHA1c988e68e09364ffbfaafc5036ae98b91144b3aa2
SHA256b99aba08a984359703f765f57ea9714232baf2397d774cd8ed81258c1c4896fc
SHA5125c7e22342a35f963576cdf3a5129a57af7526d2d61ba7fdec6c96014790168f540c810e43180a7f19f3ee86b5bb3c044d972d9783606db1d07b83c1dbfa34c7b
-
C:\Windows\Installer\MSI1712.tmpFilesize
413KB
MD5c3b8eb5198620adf3d33b703c40bcfa1
SHA1acc7e2cbcff2746762f793360b34d7aabcec116a
SHA256bedda762c46f1c6908223c34d24039ebffae88f8c6c87873065e112a530c208e
SHA5122255164ba7a4b4b9c6a50868344175e3b4f5a8906ad29ee1cb19e1147427b1175c49ab1b158c772c11b7c77a846cf603cceea8148559f0acb285da4fb14418fd
-
C:\Windows\Installer\MSI1712.tmpFilesize
413KB
MD5c3b8eb5198620adf3d33b703c40bcfa1
SHA1acc7e2cbcff2746762f793360b34d7aabcec116a
SHA256bedda762c46f1c6908223c34d24039ebffae88f8c6c87873065e112a530c208e
SHA5122255164ba7a4b4b9c6a50868344175e3b4f5a8906ad29ee1cb19e1147427b1175c49ab1b158c772c11b7c77a846cf603cceea8148559f0acb285da4fb14418fd
-
C:\Windows\Installer\MSI1712.tmpFilesize
413KB
MD5c3b8eb5198620adf3d33b703c40bcfa1
SHA1acc7e2cbcff2746762f793360b34d7aabcec116a
SHA256bedda762c46f1c6908223c34d24039ebffae88f8c6c87873065e112a530c208e
SHA5122255164ba7a4b4b9c6a50868344175e3b4f5a8906ad29ee1cb19e1147427b1175c49ab1b158c772c11b7c77a846cf603cceea8148559f0acb285da4fb14418fd
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
11.8MB
MD58073c0494b4d83ad79dd0f428f4b3d85
SHA13bcb31468755edea99d55322dfb2896dabf20ab6
SHA256973a8a5f36b6e47822157faf7b9383a7e62c2f3104d366528b73c32399b5f980
SHA5121e47c5569f6252b89a118feae42ba8786c0c5350783f2b747428ffbd3225216d219614295362ab1751890db077dc183315744c572cd5096ec515e0ba1eceace8
-
\??\Volume{2339e045-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{469e9d2b-e7c9-4b4c-bb7a-ab760a17591a}_OnDiskSnapshotPropFilesize
5KB
MD526ee9fc76700758f3f300e28421805cd
SHA171bcdda37cd54d79cc64c4c736cd3a7588431e96
SHA2561482d0888ac6cb12f83302b8b5a121ab7431702671d6c9b56a9eb91845fc3b43
SHA512b042d6e23eff3e1af25b05f34860da117e5ae87fa774fe633a09f97dbc36283155fe170b4a7ec9b732b7d90f93625887b7827ded090c64d7cc7e6d3955cb75a4
-
memory/388-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/388-142-0x0000000000000000-mapping.dmp
-
memory/548-133-0x0000000000000000-mapping.dmp
-
memory/804-140-0x00007FFC46460000-0x00007FFC46F21000-memory.dmpFilesize
10.8MB
-
memory/804-141-0x000001961AD90000-0x000001961AE00000-memory.dmpFilesize
448KB
-
memory/804-136-0x0000000000000000-mapping.dmp
-
memory/804-146-0x00007FFC46460000-0x00007FFC46F21000-memory.dmpFilesize
10.8MB
-
memory/804-139-0x000001961AB80000-0x000001961AB8A000-memory.dmpFilesize
40KB
-
memory/804-138-0x000001961ABA0000-0x000001961ABCE000-memory.dmpFilesize
184KB
-
memory/4812-132-0x0000000000000000-mapping.dmp