Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2022 17:27
Static task
static1
Behavioral task
behavioral1
Sample
build-064.msi
Resource
win7-20221111-en
General
-
Target
build-064.msi
-
Size
720KB
-
MD5
4b5e7a1fbd90cd678b8648ff34de5813
-
SHA1
efa480263a6d2bf167592b04bd64e0ebe5685318
-
SHA256
f0bd3ee5f750d9bff17c13acfcdd96ab42e194319d766053104dee666b58e7bb
-
SHA512
f19664821059994e7e7f07dec13eb61a87ee1b138bb5344c14909bed8315cc27946414f47fbcd011a0a569203542114434fe9a5f9f02bacb101605459f4e4dde
-
SSDEEP
12288:/wHL0D7MkCPumy9chfA+tC8B0igC+/NHBT1SMut:YHL08/zyt+Q8BtZKBRSZ
Malware Config
Extracted
icedid
787509923
kamintrewftor.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 33 1364 rundll32.exe 71 1364 rundll32.exe 82 1364 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 5016 MsiExec.exe 404 rundll32.exe 1364 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
rundll32.exemsiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSID0D2.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSID5E4.tmp msiexec.exe File created C:\Windows\Installer\e56d076.msi msiexec.exe File created C:\Windows\Installer\e56d074.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID0D2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID0D2.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID0D2.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\e56d074.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSID0D2.tmp-\test.cs.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000106161d2e731958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000106161d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900106161d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32.exemsiexec.exepid process 1364 rundll32.exe 1364 rundll32.exe 1364 rundll32.exe 1364 rundll32.exe 1364 rundll32.exe 1364 rundll32.exe 3380 msiexec.exe 3380 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 3176 msiexec.exe Token: SeIncreaseQuotaPrivilege 3176 msiexec.exe Token: SeSecurityPrivilege 3380 msiexec.exe Token: SeCreateTokenPrivilege 3176 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3176 msiexec.exe Token: SeLockMemoryPrivilege 3176 msiexec.exe Token: SeIncreaseQuotaPrivilege 3176 msiexec.exe Token: SeMachineAccountPrivilege 3176 msiexec.exe Token: SeTcbPrivilege 3176 msiexec.exe Token: SeSecurityPrivilege 3176 msiexec.exe Token: SeTakeOwnershipPrivilege 3176 msiexec.exe Token: SeLoadDriverPrivilege 3176 msiexec.exe Token: SeSystemProfilePrivilege 3176 msiexec.exe Token: SeSystemtimePrivilege 3176 msiexec.exe Token: SeProfSingleProcessPrivilege 3176 msiexec.exe Token: SeIncBasePriorityPrivilege 3176 msiexec.exe Token: SeCreatePagefilePrivilege 3176 msiexec.exe Token: SeCreatePermanentPrivilege 3176 msiexec.exe Token: SeBackupPrivilege 3176 msiexec.exe Token: SeRestorePrivilege 3176 msiexec.exe Token: SeShutdownPrivilege 3176 msiexec.exe Token: SeDebugPrivilege 3176 msiexec.exe Token: SeAuditPrivilege 3176 msiexec.exe Token: SeSystemEnvironmentPrivilege 3176 msiexec.exe Token: SeChangeNotifyPrivilege 3176 msiexec.exe Token: SeRemoteShutdownPrivilege 3176 msiexec.exe Token: SeUndockPrivilege 3176 msiexec.exe Token: SeSyncAgentPrivilege 3176 msiexec.exe Token: SeEnableDelegationPrivilege 3176 msiexec.exe Token: SeManageVolumePrivilege 3176 msiexec.exe Token: SeImpersonatePrivilege 3176 msiexec.exe Token: SeCreateGlobalPrivilege 3176 msiexec.exe Token: SeBackupPrivilege 4880 vssvc.exe Token: SeRestorePrivilege 4880 vssvc.exe Token: SeAuditPrivilege 4880 vssvc.exe Token: SeBackupPrivilege 3380 msiexec.exe Token: SeRestorePrivilege 3380 msiexec.exe Token: SeRestorePrivilege 3380 msiexec.exe Token: SeTakeOwnershipPrivilege 3380 msiexec.exe Token: SeRestorePrivilege 3380 msiexec.exe Token: SeTakeOwnershipPrivilege 3380 msiexec.exe Token: SeRestorePrivilege 3380 msiexec.exe Token: SeTakeOwnershipPrivilege 3380 msiexec.exe Token: SeRestorePrivilege 3380 msiexec.exe Token: SeTakeOwnershipPrivilege 3380 msiexec.exe Token: SeRestorePrivilege 3380 msiexec.exe Token: SeTakeOwnershipPrivilege 3380 msiexec.exe Token: SeRestorePrivilege 3380 msiexec.exe Token: SeTakeOwnershipPrivilege 3380 msiexec.exe Token: SeRestorePrivilege 3380 msiexec.exe Token: SeTakeOwnershipPrivilege 3380 msiexec.exe Token: SeRestorePrivilege 3380 msiexec.exe Token: SeTakeOwnershipPrivilege 3380 msiexec.exe Token: SeRestorePrivilege 3380 msiexec.exe Token: SeTakeOwnershipPrivilege 3380 msiexec.exe Token: SeRestorePrivilege 3380 msiexec.exe Token: SeTakeOwnershipPrivilege 3380 msiexec.exe Token: SeRestorePrivilege 3380 msiexec.exe Token: SeTakeOwnershipPrivilege 3380 msiexec.exe Token: SeRestorePrivilege 3380 msiexec.exe Token: SeTakeOwnershipPrivilege 3380 msiexec.exe Token: SeRestorePrivilege 3380 msiexec.exe Token: SeTakeOwnershipPrivilege 3380 msiexec.exe Token: SeRestorePrivilege 3380 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 3176 msiexec.exe 3176 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 3380 wrote to memory of 1436 3380 msiexec.exe srtasks.exe PID 3380 wrote to memory of 1436 3380 msiexec.exe srtasks.exe PID 3380 wrote to memory of 5016 3380 msiexec.exe MsiExec.exe PID 3380 wrote to memory of 5016 3380 msiexec.exe MsiExec.exe PID 5016 wrote to memory of 404 5016 MsiExec.exe rundll32.exe PID 5016 wrote to memory of 404 5016 MsiExec.exe rundll32.exe PID 404 wrote to memory of 1364 404 rundll32.exe rundll32.exe PID 404 wrote to memory of 1364 404 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-064.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding C839569A89D37D98AB8464C912BC30792⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSID0D2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240570750 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpD2F5.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD2F5.dllFilesize
269KB
MD5bd7cc8ef67f89c22561ca3cf0d8d5bf4
SHA190f4594ae4ca1f39d9cc3e53634a11c04810a1bd
SHA256f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e
SHA512754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72
-
C:\Users\Admin\AppData\Local\Temp\tmpD2F5.dllFilesize
269KB
MD5bd7cc8ef67f89c22561ca3cf0d8d5bf4
SHA190f4594ae4ca1f39d9cc3e53634a11c04810a1bd
SHA256f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e
SHA512754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72
-
C:\Windows\Installer\MSID0D2.tmpFilesize
413KB
MD5d936bc2363e2139a65701b9ad1af9cee
SHA1842ab6b02347e4a847dbfe0e23801adb0a2a3d7d
SHA2568b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06
SHA51268dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1
-
C:\Windows\Installer\MSID0D2.tmpFilesize
413KB
MD5d936bc2363e2139a65701b9ad1af9cee
SHA1842ab6b02347e4a847dbfe0e23801adb0a2a3d7d
SHA2568b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06
SHA51268dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1
-
C:\Windows\Installer\MSID0D2.tmpFilesize
413KB
MD5d936bc2363e2139a65701b9ad1af9cee
SHA1842ab6b02347e4a847dbfe0e23801adb0a2a3d7d
SHA2568b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06
SHA51268dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5e9b81a6d576f7d8ae0dc965d80a2039b
SHA1ffd1f168a7b036a0a2608c1961b4ece9aeaddeba
SHA256f4bf2a37a12c0b61905e55d238979b84e37282f4c6ac86a2af43d0a50c8a32b6
SHA5123c16cf47865b4cd65712ab771bf453caf1e11351a50ac104fbdd7482741cc3117fd526d5502c2f868ffe5a265656b51bbf19f5929cfa8b7e23899d8e84d4215f
-
\??\Volume{d2616110-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ae487663-db98-4eb1-a88d-25033723e9f9}_OnDiskSnapshotPropFilesize
5KB
MD5227369f0fa419ad114a2a785425cb2ad
SHA11219adc4f1cd0be2f7869866f6dca767ee7e6fad
SHA25655719235b86d53db9d1805bd526aa1944de1aa4fa6f01120a4f7a45055636ade
SHA51217bbb5b5512594df175766a094286c210da64abdb83d56cb0dc6a0f70bafaa37fcea1629c72e9259dc743dfbe14f38ea4e0fceb6762939421096f874013710ec
-
memory/404-140-0x0000029A8F850000-0x0000029A8F8C0000-memory.dmpFilesize
448KB
-
memory/404-139-0x0000029A8EC80000-0x0000029A8EC8A000-memory.dmpFilesize
40KB
-
memory/404-138-0x0000029A8EC90000-0x0000029A8ECBE000-memory.dmpFilesize
184KB
-
memory/404-150-0x0000029A8ED80000-0x0000029A8F841000-memory.dmpFilesize
10.8MB
-
memory/404-136-0x0000000000000000-mapping.dmp
-
memory/1364-141-0x0000000000000000-mapping.dmp
-
memory/1364-144-0x000001D930DE0000-0x000001D930DE9000-memory.dmpFilesize
36KB
-
memory/1436-132-0x0000000000000000-mapping.dmp
-
memory/5016-133-0x0000000000000000-mapping.dmp