Analysis
-
max time kernel
94s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2022 17:55
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Win_13-12-2022_17-31-38.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Setup_Win_13-12-2022_17-31-38.msi
Resource
win10v2004-20220812-en
General
-
Target
Setup_Win_13-12-2022_17-31-38.msi
-
Size
1.4MB
-
MD5
8b5b12a30a087fbba3b14665a8951b1d
-
SHA1
b4cb2e10c0d4144f662d70f1635f31037f6db8c8
-
SHA256
75c398d3a87e736ece65f10550519590a991f02990accf7d28cd52ac453a0a67
-
SHA512
93465a3fa6874f5bc51a1442b724bdfa5d8af576211506c55dd4af02e3d5dacd7004f84ddd835e609bdf3cd119edfee6666507bacee3e799f9e12179bbfbc08e
-
SSDEEP
24576:BHL0lPEJnFbMyawb8e1e96Pef7k0bNRjpB4dPURad+J:Br0yJKyaC/BPg1Rad+
Malware Config
Extracted
icedid
1010550214
estrabornhot.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 45 2140 rundll32.exe 94 2140 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 4780 MsiExec.exe 404 rundll32.exe 2140 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Installer\MSIEA36.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEA36.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIEA36.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIEA36.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSIF552.tmp msiexec.exe File created C:\Windows\Installer\e56e9bb.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\e56e9b9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIEA36.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e56e9b9.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 3408 msiexec.exe 3408 msiexec.exe 2140 rundll32.exe 2140 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4532 msiexec.exe Token: SeIncreaseQuotaPrivilege 4532 msiexec.exe Token: SeSecurityPrivilege 3408 msiexec.exe Token: SeCreateTokenPrivilege 4532 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4532 msiexec.exe Token: SeLockMemoryPrivilege 4532 msiexec.exe Token: SeIncreaseQuotaPrivilege 4532 msiexec.exe Token: SeMachineAccountPrivilege 4532 msiexec.exe Token: SeTcbPrivilege 4532 msiexec.exe Token: SeSecurityPrivilege 4532 msiexec.exe Token: SeTakeOwnershipPrivilege 4532 msiexec.exe Token: SeLoadDriverPrivilege 4532 msiexec.exe Token: SeSystemProfilePrivilege 4532 msiexec.exe Token: SeSystemtimePrivilege 4532 msiexec.exe Token: SeProfSingleProcessPrivilege 4532 msiexec.exe Token: SeIncBasePriorityPrivilege 4532 msiexec.exe Token: SeCreatePagefilePrivilege 4532 msiexec.exe Token: SeCreatePermanentPrivilege 4532 msiexec.exe Token: SeBackupPrivilege 4532 msiexec.exe Token: SeRestorePrivilege 4532 msiexec.exe Token: SeShutdownPrivilege 4532 msiexec.exe Token: SeDebugPrivilege 4532 msiexec.exe Token: SeAuditPrivilege 4532 msiexec.exe Token: SeSystemEnvironmentPrivilege 4532 msiexec.exe Token: SeChangeNotifyPrivilege 4532 msiexec.exe Token: SeRemoteShutdownPrivilege 4532 msiexec.exe Token: SeUndockPrivilege 4532 msiexec.exe Token: SeSyncAgentPrivilege 4532 msiexec.exe Token: SeEnableDelegationPrivilege 4532 msiexec.exe Token: SeManageVolumePrivilege 4532 msiexec.exe Token: SeImpersonatePrivilege 4532 msiexec.exe Token: SeCreateGlobalPrivilege 4532 msiexec.exe Token: SeBackupPrivilege 4436 vssvc.exe Token: SeRestorePrivilege 4436 vssvc.exe Token: SeAuditPrivilege 4436 vssvc.exe Token: SeBackupPrivilege 3408 msiexec.exe Token: SeRestorePrivilege 3408 msiexec.exe Token: SeRestorePrivilege 3408 msiexec.exe Token: SeTakeOwnershipPrivilege 3408 msiexec.exe Token: SeRestorePrivilege 3408 msiexec.exe Token: SeTakeOwnershipPrivilege 3408 msiexec.exe Token: SeRestorePrivilege 3408 msiexec.exe Token: SeTakeOwnershipPrivilege 3408 msiexec.exe Token: SeRestorePrivilege 3408 msiexec.exe Token: SeTakeOwnershipPrivilege 3408 msiexec.exe Token: SeRestorePrivilege 3408 msiexec.exe Token: SeTakeOwnershipPrivilege 3408 msiexec.exe Token: SeRestorePrivilege 3408 msiexec.exe Token: SeTakeOwnershipPrivilege 3408 msiexec.exe Token: SeRestorePrivilege 3408 msiexec.exe Token: SeTakeOwnershipPrivilege 3408 msiexec.exe Token: SeRestorePrivilege 3408 msiexec.exe Token: SeTakeOwnershipPrivilege 3408 msiexec.exe Token: SeRestorePrivilege 3408 msiexec.exe Token: SeTakeOwnershipPrivilege 3408 msiexec.exe Token: SeRestorePrivilege 3408 msiexec.exe Token: SeTakeOwnershipPrivilege 3408 msiexec.exe Token: SeRestorePrivilege 3408 msiexec.exe Token: SeTakeOwnershipPrivilege 3408 msiexec.exe Token: SeRestorePrivilege 3408 msiexec.exe Token: SeTakeOwnershipPrivilege 3408 msiexec.exe Token: SeRestorePrivilege 3408 msiexec.exe Token: SeTakeOwnershipPrivilege 3408 msiexec.exe Token: SeRestorePrivilege 3408 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4532 msiexec.exe 4532 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 3408 wrote to memory of 1156 3408 msiexec.exe srtasks.exe PID 3408 wrote to memory of 1156 3408 msiexec.exe srtasks.exe PID 3408 wrote to memory of 4780 3408 msiexec.exe MsiExec.exe PID 3408 wrote to memory of 4780 3408 msiexec.exe MsiExec.exe PID 4780 wrote to memory of 404 4780 MsiExec.exe rundll32.exe PID 4780 wrote to memory of 404 4780 MsiExec.exe rundll32.exe PID 404 wrote to memory of 2140 404 rundll32.exe rundll32.exe PID 404 wrote to memory of 2140 404 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_13-12-2022_17-31-38.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 10045084E72D3D0C8DEE8820751EDE842⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSIEA36.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240577203 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpF235.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF235.dllFilesize
970KB
MD56a058edb49674a880e176765872419d8
SHA1f44ae6593971176b6fe30b481c923bcb85b84b9f
SHA256b7da73f9002e5f4c2b5d40cd062bc23d12a08775fd47ac0e1fe96d98e211e2a8
SHA512c9b068e0b5cca7b1687926b7a19667ddf8cdb7a11feeec6e13f253165fc13f9a8538d35c275263251a6143f12baec7d4b2c8022f7dfec006e19e2005adfa265b
-
C:\Users\Admin\AppData\Local\Temp\tmpF235.dllFilesize
970KB
MD56a058edb49674a880e176765872419d8
SHA1f44ae6593971176b6fe30b481c923bcb85b84b9f
SHA256b7da73f9002e5f4c2b5d40cd062bc23d12a08775fd47ac0e1fe96d98e211e2a8
SHA512c9b068e0b5cca7b1687926b7a19667ddf8cdb7a11feeec6e13f253165fc13f9a8538d35c275263251a6143f12baec7d4b2c8022f7dfec006e19e2005adfa265b
-
C:\Windows\Installer\MSIEA36.tmpFilesize
413KB
MD5859c238b1aa6bbcdaaabe3e5d7f1dad6
SHA12a8c17ec585a39f6eba3207a08f865f2ef3c47bd
SHA256d9bf99badaea49228e48c5428fbfe7ba9932254ea92fdcd7c27ac88833a65dae
SHA51295c79d22c52c964cd631617d01c2b9cf4a507c3765554148eecba72695354669fed81fec088849256c62b006f175f552031895f48bf97e9d5ab4ba69eecc87e7
-
C:\Windows\Installer\MSIEA36.tmpFilesize
413KB
MD5859c238b1aa6bbcdaaabe3e5d7f1dad6
SHA12a8c17ec585a39f6eba3207a08f865f2ef3c47bd
SHA256d9bf99badaea49228e48c5428fbfe7ba9932254ea92fdcd7c27ac88833a65dae
SHA51295c79d22c52c964cd631617d01c2b9cf4a507c3765554148eecba72695354669fed81fec088849256c62b006f175f552031895f48bf97e9d5ab4ba69eecc87e7
-
C:\Windows\Installer\MSIEA36.tmpFilesize
413KB
MD5859c238b1aa6bbcdaaabe3e5d7f1dad6
SHA12a8c17ec585a39f6eba3207a08f865f2ef3c47bd
SHA256d9bf99badaea49228e48c5428fbfe7ba9932254ea92fdcd7c27ac88833a65dae
SHA51295c79d22c52c964cd631617d01c2b9cf4a507c3765554148eecba72695354669fed81fec088849256c62b006f175f552031895f48bf97e9d5ab4ba69eecc87e7
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5c04954a4e1e28ea1bbe3e587a40ad732
SHA13737010395d06e169e441e5a91396e11b3c4d20d
SHA2563f938d5663fff0bb90bd4cf3a580efefdff659e92d1e4b323ded29db8d782e09
SHA512fb043fa82590abf9ee960afdc3cc27cc0e4da78518a32296e80a72536c9adcd5db4c4e76eb5d73aa12401767fc9973289d946ddabf721036ee95bdf2bb2c5d30
-
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bdadcbac-79a5-4dbb-b4a7-4d2e44f6f991}_OnDiskSnapshotPropFilesize
5KB
MD58392adb46aa5fe1984d06706a0031e20
SHA1714df5d7a507d49f826986a52239ad942db5df29
SHA2567ab5c1b3fd0983d3c5073bd0afd199f6f6509de0e01df15dce183d51a134aa89
SHA51274578ea9ef16acaf277040772a481e640ea83f6c985d9791573ad1d4760dbd968b9f8cb4e28dd3bf84c79118b77089e51c8de1bf37007ae38aa06be4f80aa24e
-
memory/404-141-0x000002D3F9B10000-0x000002D3F9B80000-memory.dmpFilesize
448KB
-
memory/404-140-0x00007FF904820000-0x00007FF9052E1000-memory.dmpFilesize
10.8MB
-
memory/404-139-0x000002D3F98C0000-0x000002D3F98CA000-memory.dmpFilesize
40KB
-
memory/404-136-0x0000000000000000-mapping.dmp
-
memory/404-145-0x00007FF904820000-0x00007FF9052E1000-memory.dmpFilesize
10.8MB
-
memory/404-138-0x000002D3F98F0000-0x000002D3F991E000-memory.dmpFilesize
184KB
-
memory/1156-132-0x0000000000000000-mapping.dmp
-
memory/2140-142-0x0000000000000000-mapping.dmp
-
memory/2140-146-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/4780-133-0x0000000000000000-mapping.dmp