Analysis
-
max time kernel
169s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2022 21:20
Static task
static1
Behavioral task
behavioral1
Sample
Scan_Invoice_12-09#54.msi
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Scan_Invoice_12-09#54.msi
Resource
win10v2004-20220812-en
General
-
Target
Scan_Invoice_12-09#54.msi
-
Size
824KB
-
MD5
7c0c7922a082101215c998a4ecf15481
-
SHA1
5543faef6b9261087bad28e3274addd9823682b5
-
SHA256
ea43a6d99b567d1dbc7339ff43e489ef22657fcd6bd9e36b69aea8b14fde8cd5
-
SHA512
d689a1f9973e9996075bf1e5db2fb4326caef004e55b4f0bddb197535c179eb2bddb420c5ee68b23c842a423a9475eff98bb3bf2962a665304dafc684d97a4a1
-
SSDEEP
24576:yHL009mTn3Tp9Lolu0aID/kJAHCcWPXoPcTPbgrQlRNKIg8gx:yr00a3ku0ocWPXoPcTPbgrQlRNKIg8g
Malware Config
Extracted
icedid
1178326404
broskabrwaf.com
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 58 2012 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 4076 MsiExec.exe 4336 rundll32.exe 2012 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Installer\e58845e.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI85F4.tmp msiexec.exe File created C:\Windows\Installer\e588460.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8691.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8691.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI8691.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\e58845e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8691.tmp-\WixSharp.dll rundll32.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSI8691.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 4656 msiexec.exe 4656 msiexec.exe 2012 rundll32.exe 2012 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 2800 msiexec.exe Token: SeIncreaseQuotaPrivilege 2800 msiexec.exe Token: SeSecurityPrivilege 4656 msiexec.exe Token: SeCreateTokenPrivilege 2800 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2800 msiexec.exe Token: SeLockMemoryPrivilege 2800 msiexec.exe Token: SeIncreaseQuotaPrivilege 2800 msiexec.exe Token: SeMachineAccountPrivilege 2800 msiexec.exe Token: SeTcbPrivilege 2800 msiexec.exe Token: SeSecurityPrivilege 2800 msiexec.exe Token: SeTakeOwnershipPrivilege 2800 msiexec.exe Token: SeLoadDriverPrivilege 2800 msiexec.exe Token: SeSystemProfilePrivilege 2800 msiexec.exe Token: SeSystemtimePrivilege 2800 msiexec.exe Token: SeProfSingleProcessPrivilege 2800 msiexec.exe Token: SeIncBasePriorityPrivilege 2800 msiexec.exe Token: SeCreatePagefilePrivilege 2800 msiexec.exe Token: SeCreatePermanentPrivilege 2800 msiexec.exe Token: SeBackupPrivilege 2800 msiexec.exe Token: SeRestorePrivilege 2800 msiexec.exe Token: SeShutdownPrivilege 2800 msiexec.exe Token: SeDebugPrivilege 2800 msiexec.exe Token: SeAuditPrivilege 2800 msiexec.exe Token: SeSystemEnvironmentPrivilege 2800 msiexec.exe Token: SeChangeNotifyPrivilege 2800 msiexec.exe Token: SeRemoteShutdownPrivilege 2800 msiexec.exe Token: SeUndockPrivilege 2800 msiexec.exe Token: SeSyncAgentPrivilege 2800 msiexec.exe Token: SeEnableDelegationPrivilege 2800 msiexec.exe Token: SeManageVolumePrivilege 2800 msiexec.exe Token: SeImpersonatePrivilege 2800 msiexec.exe Token: SeCreateGlobalPrivilege 2800 msiexec.exe Token: SeBackupPrivilege 4792 vssvc.exe Token: SeRestorePrivilege 4792 vssvc.exe Token: SeAuditPrivilege 4792 vssvc.exe Token: SeBackupPrivilege 4656 msiexec.exe Token: SeRestorePrivilege 4656 msiexec.exe Token: SeRestorePrivilege 4656 msiexec.exe Token: SeTakeOwnershipPrivilege 4656 msiexec.exe Token: SeRestorePrivilege 4656 msiexec.exe Token: SeTakeOwnershipPrivilege 4656 msiexec.exe Token: SeRestorePrivilege 4656 msiexec.exe Token: SeTakeOwnershipPrivilege 4656 msiexec.exe Token: SeRestorePrivilege 4656 msiexec.exe Token: SeTakeOwnershipPrivilege 4656 msiexec.exe Token: SeRestorePrivilege 4656 msiexec.exe Token: SeTakeOwnershipPrivilege 4656 msiexec.exe Token: SeRestorePrivilege 4656 msiexec.exe Token: SeTakeOwnershipPrivilege 4656 msiexec.exe Token: SeRestorePrivilege 4656 msiexec.exe Token: SeTakeOwnershipPrivilege 4656 msiexec.exe Token: SeRestorePrivilege 4656 msiexec.exe Token: SeTakeOwnershipPrivilege 4656 msiexec.exe Token: SeRestorePrivilege 4656 msiexec.exe Token: SeTakeOwnershipPrivilege 4656 msiexec.exe Token: SeRestorePrivilege 4656 msiexec.exe Token: SeTakeOwnershipPrivilege 4656 msiexec.exe Token: SeRestorePrivilege 4656 msiexec.exe Token: SeTakeOwnershipPrivilege 4656 msiexec.exe Token: SeRestorePrivilege 4656 msiexec.exe Token: SeTakeOwnershipPrivilege 4656 msiexec.exe Token: SeRestorePrivilege 4656 msiexec.exe Token: SeTakeOwnershipPrivilege 4656 msiexec.exe Token: SeRestorePrivilege 4656 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2800 msiexec.exe 2800 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 4656 wrote to memory of 3556 4656 msiexec.exe srtasks.exe PID 4656 wrote to memory of 3556 4656 msiexec.exe srtasks.exe PID 4656 wrote to memory of 4076 4656 msiexec.exe MsiExec.exe PID 4656 wrote to memory of 4076 4656 msiexec.exe MsiExec.exe PID 4076 wrote to memory of 4336 4076 MsiExec.exe rundll32.exe PID 4076 wrote to memory of 4336 4076 MsiExec.exe rundll32.exe PID 4336 wrote to memory of 2012 4336 rundll32.exe rundll32.exe PID 4336 wrote to memory of 2012 4336 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Scan_Invoice_12-09#54.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 7735B090E196E1DA8C996097A47FBBAF2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI8691.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240682718 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp89CC.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp89CC.dllFilesize
374KB
MD5c50ce45b8e89a5b97442a167494a7540
SHA11101785b3bc90769c48e8c3567bf260c2477c39c
SHA25638867d9bf275e511def67182871ad950321455cfbfa5c1141104712a4ec220b3
SHA512469964bf7273b379cec03df6c2fa1768e1dae97d90f7d0459ed836558839936566d292b139632ec5b7b73a888fa34ea0e0305081d39417916706de488fd9551b
-
C:\Users\Admin\AppData\Local\Temp\tmp89CC.dllFilesize
374KB
MD5c50ce45b8e89a5b97442a167494a7540
SHA11101785b3bc90769c48e8c3567bf260c2477c39c
SHA25638867d9bf275e511def67182871ad950321455cfbfa5c1141104712a4ec220b3
SHA512469964bf7273b379cec03df6c2fa1768e1dae97d90f7d0459ed836558839936566d292b139632ec5b7b73a888fa34ea0e0305081d39417916706de488fd9551b
-
C:\Windows\Installer\MSI8691.tmpFilesize
413KB
MD550139f9ecf5281f618512e8b5f03415d
SHA1a976d06ad9758b646aee5fe50e1d2f61f92e765e
SHA256f82cfac9e1d481579e8f88fd83a28d4793875db50475f848fcf528ce944cc7ff
SHA512f8d927d0e8341991b14ae9d90708deda857a9b12291f5002095fb4cf9dcc6173c3f19f36c842386d933a14a9fb845e98442ad0a706b6487c4f52e09c44caf992
-
C:\Windows\Installer\MSI8691.tmpFilesize
413KB
MD550139f9ecf5281f618512e8b5f03415d
SHA1a976d06ad9758b646aee5fe50e1d2f61f92e765e
SHA256f82cfac9e1d481579e8f88fd83a28d4793875db50475f848fcf528ce944cc7ff
SHA512f8d927d0e8341991b14ae9d90708deda857a9b12291f5002095fb4cf9dcc6173c3f19f36c842386d933a14a9fb845e98442ad0a706b6487c4f52e09c44caf992
-
C:\Windows\Installer\MSI8691.tmpFilesize
413KB
MD550139f9ecf5281f618512e8b5f03415d
SHA1a976d06ad9758b646aee5fe50e1d2f61f92e765e
SHA256f82cfac9e1d481579e8f88fd83a28d4793875db50475f848fcf528ce944cc7ff
SHA512f8d927d0e8341991b14ae9d90708deda857a9b12291f5002095fb4cf9dcc6173c3f19f36c842386d933a14a9fb845e98442ad0a706b6487c4f52e09c44caf992
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5c33f57960123f0020530f8d51f959ffc
SHA172a55a3100ce739dbd93800495cc6d448565d6ee
SHA256f0fd58d1921b9ac3231386eaf9327fcea32acb8f087b69c4a5d8f82d5c83d233
SHA512b76f214887f0eede97b22dd1a337d76db241f158a82fe99b8932273bba940fc3ad6e40af67c33c23b522be63f6484d81a1b61ca4f2a05a4d1d6cbe2a59d655e4
-
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{af0b12b4-279a-4074-81ef-af922833566c}_OnDiskSnapshotPropFilesize
5KB
MD5bd340b40ffb912948169a74334536651
SHA11fbb6d1e013b9e64dcf9c7e61b98a7d386fa7231
SHA2567feea75580f375b0ffaabeeb6f38e49a0b3369858a5eba04756a94fb7b049a70
SHA512cdc8de095c03636df9865bc0f60f4d086abe0d584d21d75cbb73fcf8ec3eaf952a62d569b24354028e3cc8586d877df324276b676742369f0a74e660d1996bdc
-
memory/2012-143-0x0000000000000000-mapping.dmp
-
memory/2012-146-0x000001AE793B0000-0x000001AE793B9000-memory.dmpFilesize
36KB
-
memory/3556-133-0x0000000000000000-mapping.dmp
-
memory/4076-134-0x0000000000000000-mapping.dmp
-
memory/4336-139-0x000001BD89100000-0x000001BD8912E000-memory.dmpFilesize
184KB
-
memory/4336-140-0x000001BD890B0000-0x000001BD890BA000-memory.dmpFilesize
40KB
-
memory/4336-141-0x000001BDA2280000-0x000001BDA22F0000-memory.dmpFilesize
448KB
-
memory/4336-142-0x00007FF856400000-0x00007FF856EC1000-memory.dmpFilesize
10.8MB
-
memory/4336-137-0x0000000000000000-mapping.dmp
-
memory/4336-150-0x00007FF856400000-0x00007FF856EC1000-memory.dmpFilesize
10.8MB