Analysis
-
max time kernel
140s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2022 17:56
Static task
static1
Behavioral task
behavioral1
Sample
75c398d3a87e736ece65f10550519590a991f02990accf7d28cd52ac453a0a67.msi
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
75c398d3a87e736ece65f10550519590a991f02990accf7d28cd52ac453a0a67.msi
Resource
win10v2004-20221111-en
General
-
Target
75c398d3a87e736ece65f10550519590a991f02990accf7d28cd52ac453a0a67.msi
-
Size
1.4MB
-
MD5
8b5b12a30a087fbba3b14665a8951b1d
-
SHA1
b4cb2e10c0d4144f662d70f1635f31037f6db8c8
-
SHA256
75c398d3a87e736ece65f10550519590a991f02990accf7d28cd52ac453a0a67
-
SHA512
93465a3fa6874f5bc51a1442b724bdfa5d8af576211506c55dd4af02e3d5dacd7004f84ddd835e609bdf3cd119edfee6666507bacee3e799f9e12179bbfbc08e
-
SSDEEP
24576:BHL0lPEJnFbMyawb8e1e96Pef7k0bNRjpB4dPURad+J:Br0yJKyaC/BPg1Rad+
Malware Config
Extracted
icedid
1010550214
estrabornhot.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 37 5024 rundll32.exe 58 5024 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 1276 MsiExec.exe 4892 rundll32.exe 5024 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Installer\MSIDC7A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDC7A.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIDC7A.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e56dc0f.msi msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSIE390.tmp msiexec.exe File created C:\Windows\Installer\e56dc0d.msi msiexec.exe File opened for modification C:\Windows\Installer\e56dc0d.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIDC7A.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIDC7A.tmp-\WixSharp.dll rundll32.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000106161d2e731958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000106161d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900106161d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 4768 msiexec.exe 4768 msiexec.exe 5024 rundll32.exe 5024 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1364 msiexec.exe Token: SeIncreaseQuotaPrivilege 1364 msiexec.exe Token: SeSecurityPrivilege 4768 msiexec.exe Token: SeCreateTokenPrivilege 1364 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1364 msiexec.exe Token: SeLockMemoryPrivilege 1364 msiexec.exe Token: SeIncreaseQuotaPrivilege 1364 msiexec.exe Token: SeMachineAccountPrivilege 1364 msiexec.exe Token: SeTcbPrivilege 1364 msiexec.exe Token: SeSecurityPrivilege 1364 msiexec.exe Token: SeTakeOwnershipPrivilege 1364 msiexec.exe Token: SeLoadDriverPrivilege 1364 msiexec.exe Token: SeSystemProfilePrivilege 1364 msiexec.exe Token: SeSystemtimePrivilege 1364 msiexec.exe Token: SeProfSingleProcessPrivilege 1364 msiexec.exe Token: SeIncBasePriorityPrivilege 1364 msiexec.exe Token: SeCreatePagefilePrivilege 1364 msiexec.exe Token: SeCreatePermanentPrivilege 1364 msiexec.exe Token: SeBackupPrivilege 1364 msiexec.exe Token: SeRestorePrivilege 1364 msiexec.exe Token: SeShutdownPrivilege 1364 msiexec.exe Token: SeDebugPrivilege 1364 msiexec.exe Token: SeAuditPrivilege 1364 msiexec.exe Token: SeSystemEnvironmentPrivilege 1364 msiexec.exe Token: SeChangeNotifyPrivilege 1364 msiexec.exe Token: SeRemoteShutdownPrivilege 1364 msiexec.exe Token: SeUndockPrivilege 1364 msiexec.exe Token: SeSyncAgentPrivilege 1364 msiexec.exe Token: SeEnableDelegationPrivilege 1364 msiexec.exe Token: SeManageVolumePrivilege 1364 msiexec.exe Token: SeImpersonatePrivilege 1364 msiexec.exe Token: SeCreateGlobalPrivilege 1364 msiexec.exe Token: SeBackupPrivilege 3148 vssvc.exe Token: SeRestorePrivilege 3148 vssvc.exe Token: SeAuditPrivilege 3148 vssvc.exe Token: SeBackupPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe Token: SeTakeOwnershipPrivilege 4768 msiexec.exe Token: SeRestorePrivilege 4768 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1364 msiexec.exe 1364 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 4768 wrote to memory of 1232 4768 msiexec.exe srtasks.exe PID 4768 wrote to memory of 1232 4768 msiexec.exe srtasks.exe PID 4768 wrote to memory of 1276 4768 msiexec.exe MsiExec.exe PID 4768 wrote to memory of 1276 4768 msiexec.exe MsiExec.exe PID 1276 wrote to memory of 4892 1276 MsiExec.exe rundll32.exe PID 1276 wrote to memory of 4892 1276 MsiExec.exe rundll32.exe PID 4892 wrote to memory of 5024 4892 rundll32.exe rundll32.exe PID 4892 wrote to memory of 5024 4892 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\75c398d3a87e736ece65f10550519590a991f02990accf7d28cd52ac453a0a67.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding A4DFF46337B2CFE816079929028100E92⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSIDC7A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240573671 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpE004.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE004.dllFilesize
970KB
MD56a058edb49674a880e176765872419d8
SHA1f44ae6593971176b6fe30b481c923bcb85b84b9f
SHA256b7da73f9002e5f4c2b5d40cd062bc23d12a08775fd47ac0e1fe96d98e211e2a8
SHA512c9b068e0b5cca7b1687926b7a19667ddf8cdb7a11feeec6e13f253165fc13f9a8538d35c275263251a6143f12baec7d4b2c8022f7dfec006e19e2005adfa265b
-
C:\Users\Admin\AppData\Local\Temp\tmpE004.dllFilesize
970KB
MD56a058edb49674a880e176765872419d8
SHA1f44ae6593971176b6fe30b481c923bcb85b84b9f
SHA256b7da73f9002e5f4c2b5d40cd062bc23d12a08775fd47ac0e1fe96d98e211e2a8
SHA512c9b068e0b5cca7b1687926b7a19667ddf8cdb7a11feeec6e13f253165fc13f9a8538d35c275263251a6143f12baec7d4b2c8022f7dfec006e19e2005adfa265b
-
C:\Windows\Installer\MSIDC7A.tmpFilesize
413KB
MD5859c238b1aa6bbcdaaabe3e5d7f1dad6
SHA12a8c17ec585a39f6eba3207a08f865f2ef3c47bd
SHA256d9bf99badaea49228e48c5428fbfe7ba9932254ea92fdcd7c27ac88833a65dae
SHA51295c79d22c52c964cd631617d01c2b9cf4a507c3765554148eecba72695354669fed81fec088849256c62b006f175f552031895f48bf97e9d5ab4ba69eecc87e7
-
C:\Windows\Installer\MSIDC7A.tmpFilesize
413KB
MD5859c238b1aa6bbcdaaabe3e5d7f1dad6
SHA12a8c17ec585a39f6eba3207a08f865f2ef3c47bd
SHA256d9bf99badaea49228e48c5428fbfe7ba9932254ea92fdcd7c27ac88833a65dae
SHA51295c79d22c52c964cd631617d01c2b9cf4a507c3765554148eecba72695354669fed81fec088849256c62b006f175f552031895f48bf97e9d5ab4ba69eecc87e7
-
C:\Windows\Installer\MSIDC7A.tmpFilesize
413KB
MD5859c238b1aa6bbcdaaabe3e5d7f1dad6
SHA12a8c17ec585a39f6eba3207a08f865f2ef3c47bd
SHA256d9bf99badaea49228e48c5428fbfe7ba9932254ea92fdcd7c27ac88833a65dae
SHA51295c79d22c52c964cd631617d01c2b9cf4a507c3765554148eecba72695354669fed81fec088849256c62b006f175f552031895f48bf97e9d5ab4ba69eecc87e7
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD57eab3a43a1571f30a6155259a924fc64
SHA1cbe2bc2880b8916897bb3bd6691f1e24662cd6a2
SHA256ee42f322f553b2cc430b910fe29d46be73abe7f1bbe48c93825afde8b85a168b
SHA51230f2ccd39196698d1b3c91500512a1d9e31723b6d986d123d6f11e20d10c0c17a833d459f59ff960de6d90eae913312f7acfcd7764e2b987f571a759e82a9619
-
\??\Volume{d2616110-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a5a54a59-7d5d-4096-812b-2e7044bf87a5}_OnDiskSnapshotPropFilesize
5KB
MD58cdd1721b7478c5f5b55781da6b1bd71
SHA1e0de43c8a9af5c5223cb8df0e901b6b7e30e06de
SHA25620010bd91129b315ae7714ef759bb747e9e7d21a72009c52490722046ee1d80e
SHA51222733ba2d3068279f7fbcadf337165db3d7ffe66f3814838315f6f84fc5b3eb73bc381ed5b53dae1a527ff09c8cdf6b24f934c4f40d73cac17aaff8efe5ba2cd
-
memory/1232-132-0x0000000000000000-mapping.dmp
-
memory/1276-133-0x0000000000000000-mapping.dmp
-
memory/4892-136-0x0000000000000000-mapping.dmp
-
memory/4892-141-0x00007FF9D3130000-0x00007FF9D3BF1000-memory.dmpFilesize
10.8MB
-
memory/4892-140-0x000001AB7EF30000-0x000001AB7EFA0000-memory.dmpFilesize
448KB
-
memory/4892-147-0x00007FF9D3130000-0x00007FF9D3BF1000-memory.dmpFilesize
10.8MB
-
memory/4892-139-0x000001AB66950000-0x000001AB6695A000-memory.dmpFilesize
40KB
-
memory/4892-138-0x000001AB66970000-0x000001AB6699E000-memory.dmpFilesize
184KB
-
memory/5024-142-0x0000000000000000-mapping.dmp
-
memory/5024-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB