Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2022 18:28
Static task
static1
Behavioral task
behavioral1
Sample
Scan_Invoice_12-09#46.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Scan_Invoice_12-09#46.msi
Resource
win10v2004-20220812-en
General
-
Target
Scan_Invoice_12-09#46.msi
-
Size
824KB
-
MD5
eb93a0d10c8b95407415ddbfdb98e1b9
-
SHA1
74350debcdc7cfab67bcb612750fb4cb1f791649
-
SHA256
b1d89aa18cd6e5e8e007713b1f79ae72238e85211c19d403b02ace2eac464e67
-
SHA512
046ce84e6e90885419a9a1974468f7565ea9aa21945bc8987212e175178c1ce5cd61253a8b34f517fafddb307d8264361a5794a673e2e78d56df3490b66b1dff
-
SSDEEP
24576:HHL049mTn3Tp9Lol00aID/kJAHC+WPXoPcTPbgrQlRNKIg8gx:Hr04a3k00o+WPXoPcTPbgrQlRNKIg8g
Malware Config
Extracted
icedid
1178326404
broskabrwaf.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 55 612 rundll32.exe 57 612 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 2204 MsiExec.exe 3156 rundll32.exe 612 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File created C:\Windows\Installer\e57ec83.msi msiexec.exe File opened for modification C:\Windows\Installer\e57ec83.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIF26F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF26F.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSIEFCE.tmp msiexec.exe File created C:\Windows\Installer\e57ec85.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF26F.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIF26F.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIF26F.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007c4a2b5d7b48cb040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007c4a2b5d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809007c4a2b5d000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 2436 msiexec.exe 2436 msiexec.exe 612 rundll32.exe 612 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4772 msiexec.exe Token: SeIncreaseQuotaPrivilege 4772 msiexec.exe Token: SeSecurityPrivilege 2436 msiexec.exe Token: SeCreateTokenPrivilege 4772 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4772 msiexec.exe Token: SeLockMemoryPrivilege 4772 msiexec.exe Token: SeIncreaseQuotaPrivilege 4772 msiexec.exe Token: SeMachineAccountPrivilege 4772 msiexec.exe Token: SeTcbPrivilege 4772 msiexec.exe Token: SeSecurityPrivilege 4772 msiexec.exe Token: SeTakeOwnershipPrivilege 4772 msiexec.exe Token: SeLoadDriverPrivilege 4772 msiexec.exe Token: SeSystemProfilePrivilege 4772 msiexec.exe Token: SeSystemtimePrivilege 4772 msiexec.exe Token: SeProfSingleProcessPrivilege 4772 msiexec.exe Token: SeIncBasePriorityPrivilege 4772 msiexec.exe Token: SeCreatePagefilePrivilege 4772 msiexec.exe Token: SeCreatePermanentPrivilege 4772 msiexec.exe Token: SeBackupPrivilege 4772 msiexec.exe Token: SeRestorePrivilege 4772 msiexec.exe Token: SeShutdownPrivilege 4772 msiexec.exe Token: SeDebugPrivilege 4772 msiexec.exe Token: SeAuditPrivilege 4772 msiexec.exe Token: SeSystemEnvironmentPrivilege 4772 msiexec.exe Token: SeChangeNotifyPrivilege 4772 msiexec.exe Token: SeRemoteShutdownPrivilege 4772 msiexec.exe Token: SeUndockPrivilege 4772 msiexec.exe Token: SeSyncAgentPrivilege 4772 msiexec.exe Token: SeEnableDelegationPrivilege 4772 msiexec.exe Token: SeManageVolumePrivilege 4772 msiexec.exe Token: SeImpersonatePrivilege 4772 msiexec.exe Token: SeCreateGlobalPrivilege 4772 msiexec.exe Token: SeBackupPrivilege 4556 vssvc.exe Token: SeRestorePrivilege 4556 vssvc.exe Token: SeAuditPrivilege 4556 vssvc.exe Token: SeBackupPrivilege 2436 msiexec.exe Token: SeRestorePrivilege 2436 msiexec.exe Token: SeRestorePrivilege 2436 msiexec.exe Token: SeTakeOwnershipPrivilege 2436 msiexec.exe Token: SeRestorePrivilege 2436 msiexec.exe Token: SeTakeOwnershipPrivilege 2436 msiexec.exe Token: SeRestorePrivilege 2436 msiexec.exe Token: SeTakeOwnershipPrivilege 2436 msiexec.exe Token: SeRestorePrivilege 2436 msiexec.exe Token: SeTakeOwnershipPrivilege 2436 msiexec.exe Token: SeRestorePrivilege 2436 msiexec.exe Token: SeTakeOwnershipPrivilege 2436 msiexec.exe Token: SeRestorePrivilege 2436 msiexec.exe Token: SeTakeOwnershipPrivilege 2436 msiexec.exe Token: SeRestorePrivilege 2436 msiexec.exe Token: SeTakeOwnershipPrivilege 2436 msiexec.exe Token: SeRestorePrivilege 2436 msiexec.exe Token: SeTakeOwnershipPrivilege 2436 msiexec.exe Token: SeRestorePrivilege 2436 msiexec.exe Token: SeTakeOwnershipPrivilege 2436 msiexec.exe Token: SeRestorePrivilege 2436 msiexec.exe Token: SeTakeOwnershipPrivilege 2436 msiexec.exe Token: SeRestorePrivilege 2436 msiexec.exe Token: SeTakeOwnershipPrivilege 2436 msiexec.exe Token: SeRestorePrivilege 2436 msiexec.exe Token: SeTakeOwnershipPrivilege 2436 msiexec.exe Token: SeRestorePrivilege 2436 msiexec.exe Token: SeTakeOwnershipPrivilege 2436 msiexec.exe Token: SeRestorePrivilege 2436 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4772 msiexec.exe 4772 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 2436 wrote to memory of 2024 2436 msiexec.exe srtasks.exe PID 2436 wrote to memory of 2024 2436 msiexec.exe srtasks.exe PID 2436 wrote to memory of 2204 2436 msiexec.exe MsiExec.exe PID 2436 wrote to memory of 2204 2436 msiexec.exe MsiExec.exe PID 2204 wrote to memory of 3156 2204 MsiExec.exe rundll32.exe PID 2204 wrote to memory of 3156 2204 MsiExec.exe rundll32.exe PID 3156 wrote to memory of 612 3156 rundll32.exe rundll32.exe PID 3156 wrote to memory of 612 3156 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Scan_Invoice_12-09#46.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding ED651FEAA2C3B1CD8BACC823DF7F99902⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSIF26F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240644843 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpF78F.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF78F.dllFilesize
374KB
MD5eaf85e9f10d0e3079484391d29307ae9
SHA1f82505f4699ed2df7a1a9fb46a12005f8528a175
SHA2566517ef2c579002ec62ddeb01a3175917c75d79ceca355c415a4462922c715cb6
SHA51264e60335f7c10b838fa9e0ba3dc3d883ab5e62972e980090f04d90f2342e78ee916e39fb814dff02e020fe6c412c2486f30fd7f5a2082b58ae9c2d548e022f2a
-
C:\Users\Admin\AppData\Local\Temp\tmpF78F.dllFilesize
374KB
MD5eaf85e9f10d0e3079484391d29307ae9
SHA1f82505f4699ed2df7a1a9fb46a12005f8528a175
SHA2566517ef2c579002ec62ddeb01a3175917c75d79ceca355c415a4462922c715cb6
SHA51264e60335f7c10b838fa9e0ba3dc3d883ab5e62972e980090f04d90f2342e78ee916e39fb814dff02e020fe6c412c2486f30fd7f5a2082b58ae9c2d548e022f2a
-
C:\Windows\Installer\MSIF26F.tmpFilesize
413KB
MD5ed0a7ca6d9631c07104d5d62b2e6b606
SHA1acc2305cdd56f8541d89d815b80a304361c87dae
SHA256d1242cdbd87cb95e50a569320dc34b59f694eec569232f426370ced512793318
SHA512d297bf55555db5e2b64eb2e0741055c58e1d229d68697b5e2a4b227fd6807783ba99db32fa2286bf35830e30d96b2763a430e4b726e4333997fee1e5e2d40108
-
C:\Windows\Installer\MSIF26F.tmpFilesize
413KB
MD5ed0a7ca6d9631c07104d5d62b2e6b606
SHA1acc2305cdd56f8541d89d815b80a304361c87dae
SHA256d1242cdbd87cb95e50a569320dc34b59f694eec569232f426370ced512793318
SHA512d297bf55555db5e2b64eb2e0741055c58e1d229d68697b5e2a4b227fd6807783ba99db32fa2286bf35830e30d96b2763a430e4b726e4333997fee1e5e2d40108
-
C:\Windows\Installer\MSIF26F.tmpFilesize
413KB
MD5ed0a7ca6d9631c07104d5d62b2e6b606
SHA1acc2305cdd56f8541d89d815b80a304361c87dae
SHA256d1242cdbd87cb95e50a569320dc34b59f694eec569232f426370ced512793318
SHA512d297bf55555db5e2b64eb2e0741055c58e1d229d68697b5e2a4b227fd6807783ba99db32fa2286bf35830e30d96b2763a430e4b726e4333997fee1e5e2d40108
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5fce4c5d219fc1786f08e5d5fe691256f
SHA1174f0dc91081680930b74418942b1419c510e087
SHA25608386a2e44b5c180df79c37fe555b81fa87881739ee48e72c552488fce9ab5b2
SHA512fe2853efe4f072a9c68bc6f2fc8a1ebdcd4b8205fa17de6ba3a1e74687f4fedae256194355b86e264892465e906b501031f451fce46bb44e075b037e04c25988
-
\??\Volume{5d2b4a7c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bf178eea-fef1-4458-9999-46a9063cd9a6}_OnDiskSnapshotPropFilesize
5KB
MD54504476cee5f63ea0055556f2bcaec01
SHA1a72c415ae9c9db7cb08474f32435baf33a102f9e
SHA2566efc7badf7c39cd13960bc7e663e36b6e59fb77a96fc5fdcf79b9e0d621d63c7
SHA51280dc8730a35a2341f2affe6bab68a74a9f56e2b78dfff956d5368612622721a45a318e2d0a3bf0de39c865b65f3318fc6d4e96310da9ac984f275e2a9218aa49
-
memory/612-145-0x000002210A4E0000-0x000002210A4E9000-memory.dmpFilesize
36KB
-
memory/612-142-0x0000000000000000-mapping.dmp
-
memory/2024-132-0x0000000000000000-mapping.dmp
-
memory/2204-133-0x0000000000000000-mapping.dmp
-
memory/3156-136-0x0000000000000000-mapping.dmp
-
memory/3156-141-0x00007FF9F27B0000-0x00007FF9F3271000-memory.dmpFilesize
10.8MB
-
memory/3156-140-0x000001BF6DD20000-0x000001BF6DD90000-memory.dmpFilesize
448KB
-
memory/3156-151-0x00007FF9F27B0000-0x00007FF9F3271000-memory.dmpFilesize
10.8MB
-
memory/3156-139-0x000001BF55750000-0x000001BF5575A000-memory.dmpFilesize
40KB
-
memory/3156-138-0x000001BF55760000-0x000001BF5578E000-memory.dmpFilesize
184KB