Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
12-12-2022 18:28
General
-
Target
Scan_Invoice_12-09#46.msi
-
Size
824KB
-
MD5
eb93a0d10c8b95407415ddbfdb98e1b9
-
SHA1
74350debcdc7cfab67bcb612750fb4cb1f791649
-
SHA256
b1d89aa18cd6e5e8e007713b1f79ae72238e85211c19d403b02ace2eac464e67
-
SHA512
046ce84e6e90885419a9a1974468f7565ea9aa21945bc8987212e175178c1ce5cd61253a8b34f517fafddb307d8264361a5794a673e2e78d56df3490b66b1dff
-
SSDEEP
24576:HHL049mTn3Tp9Lol00aID/kJAHC+WPXoPcTPbgrQlRNKIg8gx:Hr04a3k00o+WPXoPcTPbgrQlRNKIg8g
Malware Config
Extracted
icedid
1178326404
broskabrwaf.com
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 13 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Scan_Invoice_12-09#46.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding ED651FEAA2C3B1CD8BACC823DF7F99902⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSIF26F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240644843 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpF78F.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF78F.dllFilesize
374KB
MD5eaf85e9f10d0e3079484391d29307ae9
SHA1f82505f4699ed2df7a1a9fb46a12005f8528a175
SHA2566517ef2c579002ec62ddeb01a3175917c75d79ceca355c415a4462922c715cb6
SHA51264e60335f7c10b838fa9e0ba3dc3d883ab5e62972e980090f04d90f2342e78ee916e39fb814dff02e020fe6c412c2486f30fd7f5a2082b58ae9c2d548e022f2a
-
C:\Users\Admin\AppData\Local\Temp\tmpF78F.dllFilesize
374KB
MD5eaf85e9f10d0e3079484391d29307ae9
SHA1f82505f4699ed2df7a1a9fb46a12005f8528a175
SHA2566517ef2c579002ec62ddeb01a3175917c75d79ceca355c415a4462922c715cb6
SHA51264e60335f7c10b838fa9e0ba3dc3d883ab5e62972e980090f04d90f2342e78ee916e39fb814dff02e020fe6c412c2486f30fd7f5a2082b58ae9c2d548e022f2a
-
C:\Windows\Installer\MSIF26F.tmpFilesize
413KB
MD5ed0a7ca6d9631c07104d5d62b2e6b606
SHA1acc2305cdd56f8541d89d815b80a304361c87dae
SHA256d1242cdbd87cb95e50a569320dc34b59f694eec569232f426370ced512793318
SHA512d297bf55555db5e2b64eb2e0741055c58e1d229d68697b5e2a4b227fd6807783ba99db32fa2286bf35830e30d96b2763a430e4b726e4333997fee1e5e2d40108
-
C:\Windows\Installer\MSIF26F.tmpFilesize
413KB
MD5ed0a7ca6d9631c07104d5d62b2e6b606
SHA1acc2305cdd56f8541d89d815b80a304361c87dae
SHA256d1242cdbd87cb95e50a569320dc34b59f694eec569232f426370ced512793318
SHA512d297bf55555db5e2b64eb2e0741055c58e1d229d68697b5e2a4b227fd6807783ba99db32fa2286bf35830e30d96b2763a430e4b726e4333997fee1e5e2d40108
-
C:\Windows\Installer\MSIF26F.tmpFilesize
413KB
MD5ed0a7ca6d9631c07104d5d62b2e6b606
SHA1acc2305cdd56f8541d89d815b80a304361c87dae
SHA256d1242cdbd87cb95e50a569320dc34b59f694eec569232f426370ced512793318
SHA512d297bf55555db5e2b64eb2e0741055c58e1d229d68697b5e2a4b227fd6807783ba99db32fa2286bf35830e30d96b2763a430e4b726e4333997fee1e5e2d40108
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5fce4c5d219fc1786f08e5d5fe691256f
SHA1174f0dc91081680930b74418942b1419c510e087
SHA25608386a2e44b5c180df79c37fe555b81fa87881739ee48e72c552488fce9ab5b2
SHA512fe2853efe4f072a9c68bc6f2fc8a1ebdcd4b8205fa17de6ba3a1e74687f4fedae256194355b86e264892465e906b501031f451fce46bb44e075b037e04c25988
-
\??\Volume{5d2b4a7c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bf178eea-fef1-4458-9999-46a9063cd9a6}_OnDiskSnapshotPropFilesize
5KB
MD54504476cee5f63ea0055556f2bcaec01
SHA1a72c415ae9c9db7cb08474f32435baf33a102f9e
SHA2566efc7badf7c39cd13960bc7e663e36b6e59fb77a96fc5fdcf79b9e0d621d63c7
SHA51280dc8730a35a2341f2affe6bab68a74a9f56e2b78dfff956d5368612622721a45a318e2d0a3bf0de39c865b65f3318fc6d4e96310da9ac984f275e2a9218aa49
-
memory/612-145-0x000002210A4E0000-0x000002210A4E9000-memory.dmpFilesize
36KB
-
memory/612-142-0x0000000000000000-mapping.dmp
-
memory/2024-132-0x0000000000000000-mapping.dmp
-
memory/2204-133-0x0000000000000000-mapping.dmp
-
memory/3156-136-0x0000000000000000-mapping.dmp
-
memory/3156-141-0x00007FF9F27B0000-0x00007FF9F3271000-memory.dmpFilesize
10.8MB
-
memory/3156-140-0x000001BF6DD20000-0x000001BF6DD90000-memory.dmpFilesize
448KB
-
memory/3156-151-0x00007FF9F27B0000-0x00007FF9F3271000-memory.dmpFilesize
10.8MB
-
memory/3156-139-0x000001BF55750000-0x000001BF5575A000-memory.dmpFilesize
40KB
-
memory/3156-138-0x000001BF55760000-0x000001BF5578E000-memory.dmpFilesize
184KB