Overview

overview

10

Static

static

Scan_Invoi...54.msi

windows7-x64

10

Scan_Invoi...54.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2022 21:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scan_Invoice_12-09#54.msi

  • Size

    824KB

  • MD5

    7c0c7922a082101215c998a4ecf15481

  • SHA1

    5543faef6b9261087bad28e3274addd9823682b5

  • SHA256

    ea43a6d99b567d1dbc7339ff43e489ef22657fcd6bd9e36b69aea8b14fde8cd5

  • SHA512

    d689a1f9973e9996075bf1e5db2fb4326caef004e55b4f0bddb197535c179eb2bddb420c5ee68b23c842a423a9475eff98bb3bf2962a665304dafc684d97a4a1

  • SSDEEP

    24576:yHL009mTn3Tp9Lolu0aID/kJAHCcWPXoPcTPbgrQlRNKIg8gx:yr00a3ku0ocWPXoPcTPbgrQlRNKIg8g

Score
10/10
icedid1178326404bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

1178326404

C2

broskabrwaf.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Scan_Invoice_12-09#54.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2800
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3556
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 7735B090E196E1DA8C996097A47FBBAF
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4076
        • C:\Windows\system32\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSI8691.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240682718 2 test.cs!Test.CustomActions.MyAction
          3⤵
          • Checks computer location settings
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:4336
          • C:\Windows\System32\rundll32.exe
            "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp89CC.dll",init
            4⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:2012
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4792

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    2
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp89CC.dll
      Filesize

      374KB

      MD5

      c50ce45b8e89a5b97442a167494a7540

      SHA1

      1101785b3bc90769c48e8c3567bf260c2477c39c

      SHA256

      38867d9bf275e511def67182871ad950321455cfbfa5c1141104712a4ec220b3

      SHA512

      469964bf7273b379cec03df6c2fa1768e1dae97d90f7d0459ed836558839936566d292b139632ec5b7b73a888fa34ea0e0305081d39417916706de488fd9551b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp89CC.dll
      Filesize

      374KB

      MD5

      c50ce45b8e89a5b97442a167494a7540

      SHA1

      1101785b3bc90769c48e8c3567bf260c2477c39c

      SHA256

      38867d9bf275e511def67182871ad950321455cfbfa5c1141104712a4ec220b3

      SHA512

      469964bf7273b379cec03df6c2fa1768e1dae97d90f7d0459ed836558839936566d292b139632ec5b7b73a888fa34ea0e0305081d39417916706de488fd9551b

      Download Submit
    • C:\Windows\Installer\MSI8691.tmp
      Filesize

      413KB

      MD5

      50139f9ecf5281f618512e8b5f03415d

      SHA1

      a976d06ad9758b646aee5fe50e1d2f61f92e765e

      SHA256

      f82cfac9e1d481579e8f88fd83a28d4793875db50475f848fcf528ce944cc7ff

      SHA512

      f8d927d0e8341991b14ae9d90708deda857a9b12291f5002095fb4cf9dcc6173c3f19f36c842386d933a14a9fb845e98442ad0a706b6487c4f52e09c44caf992

      Download Submit
    • C:\Windows\Installer\MSI8691.tmp
      Filesize

      413KB

      MD5

      50139f9ecf5281f618512e8b5f03415d

      SHA1

      a976d06ad9758b646aee5fe50e1d2f61f92e765e

      SHA256

      f82cfac9e1d481579e8f88fd83a28d4793875db50475f848fcf528ce944cc7ff

      SHA512

      f8d927d0e8341991b14ae9d90708deda857a9b12291f5002095fb4cf9dcc6173c3f19f36c842386d933a14a9fb845e98442ad0a706b6487c4f52e09c44caf992

      Download Submit
    • C:\Windows\Installer\MSI8691.tmp
      Filesize

      413KB

      MD5

      50139f9ecf5281f618512e8b5f03415d

      SHA1

      a976d06ad9758b646aee5fe50e1d2f61f92e765e

      SHA256

      f82cfac9e1d481579e8f88fd83a28d4793875db50475f848fcf528ce944cc7ff

      SHA512

      f8d927d0e8341991b14ae9d90708deda857a9b12291f5002095fb4cf9dcc6173c3f19f36c842386d933a14a9fb845e98442ad0a706b6487c4f52e09c44caf992

      Download Submit
    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.0MB

      MD5

      c33f57960123f0020530f8d51f959ffc

      SHA1

      72a55a3100ce739dbd93800495cc6d448565d6ee

      SHA256

      f0fd58d1921b9ac3231386eaf9327fcea32acb8f087b69c4a5d8f82d5c83d233

      SHA512

      b76f214887f0eede97b22dd1a337d76db241f158a82fe99b8932273bba940fc3ad6e40af67c33c23b522be63f6484d81a1b61ca4f2a05a4d1d6cbe2a59d655e4

      Download Submit
    • \??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{af0b12b4-279a-4074-81ef-af922833566c}_OnDiskSnapshotProp
      Filesize

      5KB

      MD5

      bd340b40ffb912948169a74334536651

      SHA1

      1fbb6d1e013b9e64dcf9c7e61b98a7d386fa7231

      SHA256

      7feea75580f375b0ffaabeeb6f38e49a0b3369858a5eba04756a94fb7b049a70

      SHA512

      cdc8de095c03636df9865bc0f60f4d086abe0d584d21d75cbb73fcf8ec3eaf952a62d569b24354028e3cc8586d877df324276b676742369f0a74e660d1996bdc

      Download Submit
    • memory/2012-143-0x0000000000000000-mapping.dmp
      Download
    • memory/2012-146-0x000001AE793B0000-0x000001AE793B9000-memory.dmp
      Filesize

      36KB

      Download
    • memory/3556-133-0x0000000000000000-mapping.dmp
      Download
    • memory/4076-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4336-139-0x000001BD89100000-0x000001BD8912E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4336-140-0x000001BD890B0000-0x000001BD890BA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4336-141-0x000001BDA2280000-0x000001BDA22F0000-memory.dmp
      Filesize

      448KB

      Download
    • memory/4336-142-0x00007FF856400000-0x00007FF856EC1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4336-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4336-150-0x00007FF856400000-0x00007FF856EC1000-memory.dmp
      Filesize

      10.8MB

      Download