Overview

overview

10

Static

static

Scan_Invoi...54.msi

windows7-x64

10

Scan_Invoi...54.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    09-12-2022 21:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scan_Invoice_12-09#54.msi

  • Size

    824KB

  • MD5

    7c0c7922a082101215c998a4ecf15481

  • SHA1

    5543faef6b9261087bad28e3274addd9823682b5

  • SHA256

    ea43a6d99b567d1dbc7339ff43e489ef22657fcd6bd9e36b69aea8b14fde8cd5

  • SHA512

    d689a1f9973e9996075bf1e5db2fb4326caef004e55b4f0bddb197535c179eb2bddb420c5ee68b23c842a423a9475eff98bb3bf2962a665304dafc684d97a4a1

  • SSDEEP

    24576:yHL009mTn3Tp9Lolu0aID/kJAHCcWPXoPcTPbgrQlRNKIg8gx:yr00a3ku0ocWPXoPcTPbgrQlRNKIg8g

Score
10/10
icedid1178326404bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

1178326404

C2

broskabrwaf.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Scan_Invoice_12-09#54.msi
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:832
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 532043F447DD896AD4C01B767D635EA5
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Windows\system32\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI92C2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7246667 1 test.cs!Test.CustomActions.MyAction
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Windows\System32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp9FC9.dll",init
          4⤵
          • Loads dropped DLL
          PID:796
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1148
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003CC" "00000000000004A0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9FC9.dll
    Filesize

    374KB

    MD5

    c50ce45b8e89a5b97442a167494a7540

    SHA1

    1101785b3bc90769c48e8c3567bf260c2477c39c

    SHA256

    38867d9bf275e511def67182871ad950321455cfbfa5c1141104712a4ec220b3

    SHA512

    469964bf7273b379cec03df6c2fa1768e1dae97d90f7d0459ed836558839936566d292b139632ec5b7b73a888fa34ea0e0305081d39417916706de488fd9551b

    Download Submit
  • C:\Windows\Installer\MSI92C2.tmp
    Filesize

    413KB

    MD5

    50139f9ecf5281f618512e8b5f03415d

    SHA1

    a976d06ad9758b646aee5fe50e1d2f61f92e765e

    SHA256

    f82cfac9e1d481579e8f88fd83a28d4793875db50475f848fcf528ce944cc7ff

    SHA512

    f8d927d0e8341991b14ae9d90708deda857a9b12291f5002095fb4cf9dcc6173c3f19f36c842386d933a14a9fb845e98442ad0a706b6487c4f52e09c44caf992

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmp9FC9.dll
    Filesize

    374KB

    MD5

    c50ce45b8e89a5b97442a167494a7540

    SHA1

    1101785b3bc90769c48e8c3567bf260c2477c39c

    SHA256

    38867d9bf275e511def67182871ad950321455cfbfa5c1141104712a4ec220b3

    SHA512

    469964bf7273b379cec03df6c2fa1768e1dae97d90f7d0459ed836558839936566d292b139632ec5b7b73a888fa34ea0e0305081d39417916706de488fd9551b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmp9FC9.dll
    Filesize

    374KB

    MD5

    c50ce45b8e89a5b97442a167494a7540

    SHA1

    1101785b3bc90769c48e8c3567bf260c2477c39c

    SHA256

    38867d9bf275e511def67182871ad950321455cfbfa5c1141104712a4ec220b3

    SHA512

    469964bf7273b379cec03df6c2fa1768e1dae97d90f7d0459ed836558839936566d292b139632ec5b7b73a888fa34ea0e0305081d39417916706de488fd9551b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmp9FC9.dll
    Filesize

    374KB

    MD5

    c50ce45b8e89a5b97442a167494a7540

    SHA1

    1101785b3bc90769c48e8c3567bf260c2477c39c

    SHA256

    38867d9bf275e511def67182871ad950321455cfbfa5c1141104712a4ec220b3

    SHA512

    469964bf7273b379cec03df6c2fa1768e1dae97d90f7d0459ed836558839936566d292b139632ec5b7b73a888fa34ea0e0305081d39417916706de488fd9551b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmp9FC9.dll
    Filesize

    374KB

    MD5

    c50ce45b8e89a5b97442a167494a7540

    SHA1

    1101785b3bc90769c48e8c3567bf260c2477c39c

    SHA256

    38867d9bf275e511def67182871ad950321455cfbfa5c1141104712a4ec220b3

    SHA512

    469964bf7273b379cec03df6c2fa1768e1dae97d90f7d0459ed836558839936566d292b139632ec5b7b73a888fa34ea0e0305081d39417916706de488fd9551b

    Download Submit
  • \Windows\Installer\MSI92C2.tmp
    Filesize

    413KB

    MD5

    50139f9ecf5281f618512e8b5f03415d

    SHA1

    a976d06ad9758b646aee5fe50e1d2f61f92e765e

    SHA256

    f82cfac9e1d481579e8f88fd83a28d4793875db50475f848fcf528ce944cc7ff

    SHA512

    f8d927d0e8341991b14ae9d90708deda857a9b12291f5002095fb4cf9dcc6173c3f19f36c842386d933a14a9fb845e98442ad0a706b6487c4f52e09c44caf992

    Download Submit
  • \Windows\Installer\MSI92C2.tmp
    Filesize

    413KB

    MD5

    50139f9ecf5281f618512e8b5f03415d

    SHA1

    a976d06ad9758b646aee5fe50e1d2f61f92e765e

    SHA256

    f82cfac9e1d481579e8f88fd83a28d4793875db50475f848fcf528ce944cc7ff

    SHA512

    f8d927d0e8341991b14ae9d90708deda857a9b12291f5002095fb4cf9dcc6173c3f19f36c842386d933a14a9fb845e98442ad0a706b6487c4f52e09c44caf992

    Download Submit
  • memory/796-72-0x00000000001A0000-0x00000000001A9000-memory.dmp
    Filesize

    36KB

    Download
  • memory/796-66-0x0000000000000000-mapping.dmp
    Download
  • memory/828-56-0x0000000000000000-mapping.dmp
    Download
  • memory/832-54-0x000007FEFB8E1000-0x000007FEFB8E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/944-60-0x0000000000000000-mapping.dmp
    Download
  • memory/944-64-0x000000001A420000-0x000000001A490000-memory.dmp
    Filesize

    448KB

    Download
  • memory/944-63-0x0000000000650000-0x000000000065A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/944-62-0x0000000000610000-0x000000000063E000-memory.dmp
    Filesize

    184KB

    Download