Analysis
-
max time kernel
131s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2022 17:19
Static task
static1
Behavioral task
behavioral1
Sample
build-064.msi
Resource
win7-20221111-en
General
-
Target
build-064.msi
-
Size
720KB
-
MD5
4b5e7a1fbd90cd678b8648ff34de5813
-
SHA1
efa480263a6d2bf167592b04bd64e0ebe5685318
-
SHA256
f0bd3ee5f750d9bff17c13acfcdd96ab42e194319d766053104dee666b58e7bb
-
SHA512
f19664821059994e7e7f07dec13eb61a87ee1b138bb5344c14909bed8315cc27946414f47fbcd011a0a569203542114434fe9a5f9f02bacb101605459f4e4dde
-
SSDEEP
12288:/wHL0D7MkCPumy9chfA+tC8B0igC+/NHBT1SMut:YHL08/zyt+Q8BtZKBRSZ
Malware Config
Extracted
icedid
787509923
kamintrewftor.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 60 4260 rundll32.exe 95 4260 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 1724 MsiExec.exe 3180 rundll32.exe 4260 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Installer\MSIE92D.tmp msiexec.exe File created C:\Windows\Installer\e56e15c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE1C9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE1C9.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File created C:\Windows\Installer\e56e15e.msi msiexec.exe File opened for modification C:\Windows\Installer\e56e15c.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIE1C9.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE1C9.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIE1C9.tmp-\WixSharp.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32.exemsiexec.exepid process 4260 rundll32.exe 4260 rundll32.exe 4260 rundll32.exe 4260 rundll32.exe 4260 rundll32.exe 4260 rundll32.exe 4536 msiexec.exe 4536 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 632 msiexec.exe Token: SeIncreaseQuotaPrivilege 632 msiexec.exe Token: SeSecurityPrivilege 4536 msiexec.exe Token: SeCreateTokenPrivilege 632 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 632 msiexec.exe Token: SeLockMemoryPrivilege 632 msiexec.exe Token: SeIncreaseQuotaPrivilege 632 msiexec.exe Token: SeMachineAccountPrivilege 632 msiexec.exe Token: SeTcbPrivilege 632 msiexec.exe Token: SeSecurityPrivilege 632 msiexec.exe Token: SeTakeOwnershipPrivilege 632 msiexec.exe Token: SeLoadDriverPrivilege 632 msiexec.exe Token: SeSystemProfilePrivilege 632 msiexec.exe Token: SeSystemtimePrivilege 632 msiexec.exe Token: SeProfSingleProcessPrivilege 632 msiexec.exe Token: SeIncBasePriorityPrivilege 632 msiexec.exe Token: SeCreatePagefilePrivilege 632 msiexec.exe Token: SeCreatePermanentPrivilege 632 msiexec.exe Token: SeBackupPrivilege 632 msiexec.exe Token: SeRestorePrivilege 632 msiexec.exe Token: SeShutdownPrivilege 632 msiexec.exe Token: SeDebugPrivilege 632 msiexec.exe Token: SeAuditPrivilege 632 msiexec.exe Token: SeSystemEnvironmentPrivilege 632 msiexec.exe Token: SeChangeNotifyPrivilege 632 msiexec.exe Token: SeRemoteShutdownPrivilege 632 msiexec.exe Token: SeUndockPrivilege 632 msiexec.exe Token: SeSyncAgentPrivilege 632 msiexec.exe Token: SeEnableDelegationPrivilege 632 msiexec.exe Token: SeManageVolumePrivilege 632 msiexec.exe Token: SeImpersonatePrivilege 632 msiexec.exe Token: SeCreateGlobalPrivilege 632 msiexec.exe Token: SeBackupPrivilege 4920 vssvc.exe Token: SeRestorePrivilege 4920 vssvc.exe Token: SeAuditPrivilege 4920 vssvc.exe Token: SeBackupPrivilege 4536 msiexec.exe Token: SeRestorePrivilege 4536 msiexec.exe Token: SeRestorePrivilege 4536 msiexec.exe Token: SeTakeOwnershipPrivilege 4536 msiexec.exe Token: SeRestorePrivilege 4536 msiexec.exe Token: SeTakeOwnershipPrivilege 4536 msiexec.exe Token: SeRestorePrivilege 4536 msiexec.exe Token: SeTakeOwnershipPrivilege 4536 msiexec.exe Token: SeRestorePrivilege 4536 msiexec.exe Token: SeTakeOwnershipPrivilege 4536 msiexec.exe Token: SeRestorePrivilege 4536 msiexec.exe Token: SeTakeOwnershipPrivilege 4536 msiexec.exe Token: SeRestorePrivilege 4536 msiexec.exe Token: SeTakeOwnershipPrivilege 4536 msiexec.exe Token: SeRestorePrivilege 4536 msiexec.exe Token: SeTakeOwnershipPrivilege 4536 msiexec.exe Token: SeRestorePrivilege 4536 msiexec.exe Token: SeTakeOwnershipPrivilege 4536 msiexec.exe Token: SeRestorePrivilege 4536 msiexec.exe Token: SeTakeOwnershipPrivilege 4536 msiexec.exe Token: SeRestorePrivilege 4536 msiexec.exe Token: SeTakeOwnershipPrivilege 4536 msiexec.exe Token: SeRestorePrivilege 4536 msiexec.exe Token: SeTakeOwnershipPrivilege 4536 msiexec.exe Token: SeRestorePrivilege 4536 msiexec.exe Token: SeTakeOwnershipPrivilege 4536 msiexec.exe Token: SeRestorePrivilege 4536 msiexec.exe Token: SeTakeOwnershipPrivilege 4536 msiexec.exe Token: SeRestorePrivilege 4536 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 632 msiexec.exe 632 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 4536 wrote to memory of 1148 4536 msiexec.exe srtasks.exe PID 4536 wrote to memory of 1148 4536 msiexec.exe srtasks.exe PID 4536 wrote to memory of 1724 4536 msiexec.exe MsiExec.exe PID 4536 wrote to memory of 1724 4536 msiexec.exe MsiExec.exe PID 1724 wrote to memory of 3180 1724 MsiExec.exe rundll32.exe PID 1724 wrote to memory of 3180 1724 MsiExec.exe rundll32.exe PID 3180 wrote to memory of 4260 3180 rundll32.exe rundll32.exe PID 3180 wrote to memory of 4260 3180 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-064.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding E6E48E3A00119162E48F22DECF06C3A02⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSIE1C9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240575062 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpE4A8.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE4A8.dllFilesize
269KB
MD5bd7cc8ef67f89c22561ca3cf0d8d5bf4
SHA190f4594ae4ca1f39d9cc3e53634a11c04810a1bd
SHA256f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e
SHA512754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72
-
C:\Users\Admin\AppData\Local\Temp\tmpE4A8.dllFilesize
269KB
MD5bd7cc8ef67f89c22561ca3cf0d8d5bf4
SHA190f4594ae4ca1f39d9cc3e53634a11c04810a1bd
SHA256f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e
SHA512754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72
-
C:\Windows\Installer\MSIE1C9.tmpFilesize
413KB
MD5d936bc2363e2139a65701b9ad1af9cee
SHA1842ab6b02347e4a847dbfe0e23801adb0a2a3d7d
SHA2568b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06
SHA51268dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1
-
C:\Windows\Installer\MSIE1C9.tmpFilesize
413KB
MD5d936bc2363e2139a65701b9ad1af9cee
SHA1842ab6b02347e4a847dbfe0e23801adb0a2a3d7d
SHA2568b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06
SHA51268dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1
-
C:\Windows\Installer\MSIE1C9.tmpFilesize
413KB
MD5d936bc2363e2139a65701b9ad1af9cee
SHA1842ab6b02347e4a847dbfe0e23801adb0a2a3d7d
SHA2568b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06
SHA51268dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD56bbfc34ba423e13b677b4e9138502b23
SHA10c9899403e34919c22c3b1608e07f4bbf025da44
SHA256d85d0d87654ff0a59e27a9a169dcf39deb9acd6f51f79f054265a80302d7cb1b
SHA5125c0f8aee5649cf241daf65eb0370ac5f772ce3bc80ca68c57b012c76ac966a77628a767e15f3e988ef18fabc5a221a9d71b4154b3b3b9852f10067ea7f62a045
-
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{801c7c98-c2f8-4359-b3f0-8fa1ba4a85d4}_OnDiskSnapshotPropFilesize
5KB
MD5f86563a33fd67139041a86521b502d8b
SHA1c21c7b49e6e2ca72aab38e70439018ef254b83be
SHA256a26d7fc8e7d7f836b4c7a09feb097337a089a2d119aedd428741dad19ba0a6f4
SHA5122c57f0cc05e73327234edc392573ca4760f17015eadc0f941826acb474cab924de292c7cf8f3a45b01e7aed13b3083165f4d2ba4343519792eef44b236f4c54a
-
memory/1148-132-0x0000000000000000-mapping.dmp
-
memory/1724-133-0x0000000000000000-mapping.dmp
-
memory/3180-140-0x000002294EA10000-0x000002294EA80000-memory.dmpFilesize
448KB
-
memory/3180-139-0x0000022936410000-0x000002293641A000-memory.dmpFilesize
40KB
-
memory/3180-150-0x00007FF8F2070000-0x00007FF8F2B31000-memory.dmpFilesize
10.8MB
-
memory/3180-138-0x0000022936440000-0x000002293646E000-memory.dmpFilesize
184KB
-
memory/3180-136-0x0000000000000000-mapping.dmp
-
memory/4260-141-0x0000000000000000-mapping.dmp
-
memory/4260-144-0x0000027DE98F0000-0x0000027DE98F9000-memory.dmpFilesize
36KB