Analysis
-
max time kernel
308s -
max time network
374s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2022 19:34
Static task
static1
Behavioral task
behavioral1
Sample
ZoomInstallerFull.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ZoomInstallerFull.exe
Resource
win10v2004-20221111-en
General
-
Target
ZoomInstallerFull.exe
-
Size
75.4MB
-
MD5
3d36e5c4caa98515b4cbede14c253676
-
SHA1
d2e1bd8ee0a2185557e5c01883cdccb53772f7bb
-
SHA256
c15c7e69d90fd076c43a89bb11cf2a642bf3e354566aeecfb9b58fee4e27372a
-
SHA512
b234812ba40bfee5dfacacf4d2198949d3636449e34a9f75c062d2bc20c6225edb1c4d25f737c5ecc0d31b1cbbf2960e3ba8ce97f006368871dda2a5cd2e6182
-
SSDEEP
1572864:upDrQefrQSB+gTC4GB3RA9MLhWG7VYlSGTbANByfGajuTgIrPJGs:cDLfrQQ/FA3RAicfUjByfFIDJ
Malware Config
Extracted
icedid
1441853872
ewgahskoot.com
Signatures
-
Blocklisted process makes network request 14 IoCs
Processes:
rundll32.exemsiexec.exeflow pid process 36 3352 rundll32.exe 53 3352 rundll32.exe 66 3916 msiexec.exe 72 3916 msiexec.exe 73 3916 msiexec.exe 75 3916 msiexec.exe 76 3916 msiexec.exe 77 3916 msiexec.exe 80 3916 msiexec.exe 93 3916 msiexec.exe 94 3916 msiexec.exe 99 3352 rundll32.exe 107 3352 rundll32.exe 120 3352 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3352 rundll32.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b9e60d2ecf4958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b9e60d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809000b9e60d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3352 rundll32.exe 3352 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 3916 msiexec.exe Token: SeIncreaseQuotaPrivilege 3916 msiexec.exe Token: SeSecurityPrivilege 1820 msiexec.exe Token: SeCreateTokenPrivilege 3916 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3916 msiexec.exe Token: SeLockMemoryPrivilege 3916 msiexec.exe Token: SeIncreaseQuotaPrivilege 3916 msiexec.exe Token: SeMachineAccountPrivilege 3916 msiexec.exe Token: SeTcbPrivilege 3916 msiexec.exe Token: SeSecurityPrivilege 3916 msiexec.exe Token: SeTakeOwnershipPrivilege 3916 msiexec.exe Token: SeLoadDriverPrivilege 3916 msiexec.exe Token: SeSystemProfilePrivilege 3916 msiexec.exe Token: SeSystemtimePrivilege 3916 msiexec.exe Token: SeProfSingleProcessPrivilege 3916 msiexec.exe Token: SeIncBasePriorityPrivilege 3916 msiexec.exe Token: SeCreatePagefilePrivilege 3916 msiexec.exe Token: SeCreatePermanentPrivilege 3916 msiexec.exe Token: SeBackupPrivilege 3916 msiexec.exe Token: SeRestorePrivilege 3916 msiexec.exe Token: SeShutdownPrivilege 3916 msiexec.exe Token: SeDebugPrivilege 3916 msiexec.exe Token: SeAuditPrivilege 3916 msiexec.exe Token: SeSystemEnvironmentPrivilege 3916 msiexec.exe Token: SeChangeNotifyPrivilege 3916 msiexec.exe Token: SeRemoteShutdownPrivilege 3916 msiexec.exe Token: SeUndockPrivilege 3916 msiexec.exe Token: SeSyncAgentPrivilege 3916 msiexec.exe Token: SeEnableDelegationPrivilege 3916 msiexec.exe Token: SeManageVolumePrivilege 3916 msiexec.exe Token: SeImpersonatePrivilege 3916 msiexec.exe Token: SeCreateGlobalPrivilege 3916 msiexec.exe Token: SeBackupPrivilege 1768 vssvc.exe Token: SeRestorePrivilege 1768 vssvc.exe Token: SeAuditPrivilege 1768 vssvc.exe Token: SeBackupPrivilege 1820 msiexec.exe Token: SeRestorePrivilege 1820 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 3916 msiexec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ZoomInstallerFull.exedescription pid process target process PID 4456 wrote to memory of 3352 4456 ZoomInstallerFull.exe rundll32.exe PID 4456 wrote to memory of 3352 4456 ZoomInstallerFull.exe rundll32.exe PID 4456 wrote to memory of 3916 4456 ZoomInstallerFull.exe msiexec.exe PID 4456 wrote to memory of 3916 4456 ZoomInstallerFull.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe"C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SYSTEM32\rundll32.exeC:\WINDOWS\SYSTEM32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ikm.aaa, init2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\msiexec.exemsiexec.exe /i C:\Users\Admin\AppData\Local\Temp\ikm.msi2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ikm.aaaFilesize
374KB
MD5f371a5d45d6aa7bf79c73c6ac1e27db8
SHA1fc5cfb8d23f4c4b7b0d866679860a4b51a53f52e
SHA256a91ab1223bc23763dca1e0bd8d47553b7d3a7d4b8c114504ec67439845519eeb
SHA512f5ef2ab57d0f309194331c1d45aa30632656f26c17913db325a40a9e4f186346c53e1aa82a0a336fac8d2e664a143e0b8621fc5c00ebca31ec369e19ca91c02d
-
C:\Users\Admin\AppData\Local\Temp\ikm.aaaFilesize
374KB
MD5f371a5d45d6aa7bf79c73c6ac1e27db8
SHA1fc5cfb8d23f4c4b7b0d866679860a4b51a53f52e
SHA256a91ab1223bc23763dca1e0bd8d47553b7d3a7d4b8c114504ec67439845519eeb
SHA512f5ef2ab57d0f309194331c1d45aa30632656f26c17913db325a40a9e4f186346c53e1aa82a0a336fac8d2e664a143e0b8621fc5c00ebca31ec369e19ca91c02d
-
C:\Users\Admin\AppData\Local\Temp\ikm.msiFilesize
75.1MB
MD5f7f764ed7be9356b85c73462542b36c3
SHA1e0a67fa1d899d464ec6a268dcfb1b14de172c582
SHA256839c1a8a906bd0bce47262a904708ed58eb832a1acae917ecd758ab5a01f3234
SHA512fafa807291c19bac4da510edc5ccea607b77b0220c5c9090d1eb5a7c3a022f67c113bdf51ef13bc6af830ae3843ca4ea53d96a033fc5aae9714a8708e068b45c
-
memory/3352-132-0x0000000000000000-mapping.dmp
-
memory/3352-135-0x00000220354D0000-0x00000220354D9000-memory.dmpFilesize
36KB
-
memory/3916-141-0x0000000000000000-mapping.dmp