Overview

overview

10

Static

static

75c398d3a8...67.msi

windows7-x64

10

75c398d3a8...67.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2022 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    75c398d3a87e736ece65f10550519590a991f02990accf7d28cd52ac453a0a67.msi

  • Size

    1.4MB

  • MD5

    8b5b12a30a087fbba3b14665a8951b1d

  • SHA1

    b4cb2e10c0d4144f662d70f1635f31037f6db8c8

  • SHA256

    75c398d3a87e736ece65f10550519590a991f02990accf7d28cd52ac453a0a67

  • SHA512

    93465a3fa6874f5bc51a1442b724bdfa5d8af576211506c55dd4af02e3d5dacd7004f84ddd835e609bdf3cd119edfee6666507bacee3e799f9e12179bbfbc08e

  • SSDEEP

    24576:BHL0lPEJnFbMyawb8e1e96Pef7k0bNRjpB4dPURad+J:Br0yJKyaC/BPg1Rad+

Score
10/10
icedid1010550214bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

1010550214

C2

estrabornhot.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\75c398d3a87e736ece65f10550519590a991f02990accf7d28cd52ac453a0a67.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1364
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1232
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding A4DFF46337B2CFE816079929028100E9
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1276
        • C:\Windows\system32\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIDC7A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240573671 2 test.cs!Test.CustomActions.MyAction
          3⤵
          • Checks computer location settings
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:4892
          • C:\Windows\System32\rundll32.exe
            "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpE004.dll",init
            4⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:5024
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3148

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    2
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpE004.dll
      Filesize

      970KB

      MD5

      6a058edb49674a880e176765872419d8

      SHA1

      f44ae6593971176b6fe30b481c923bcb85b84b9f

      SHA256

      b7da73f9002e5f4c2b5d40cd062bc23d12a08775fd47ac0e1fe96d98e211e2a8

      SHA512

      c9b068e0b5cca7b1687926b7a19667ddf8cdb7a11feeec6e13f253165fc13f9a8538d35c275263251a6143f12baec7d4b2c8022f7dfec006e19e2005adfa265b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmpE004.dll
      Filesize

      970KB

      MD5

      6a058edb49674a880e176765872419d8

      SHA1

      f44ae6593971176b6fe30b481c923bcb85b84b9f

      SHA256

      b7da73f9002e5f4c2b5d40cd062bc23d12a08775fd47ac0e1fe96d98e211e2a8

      SHA512

      c9b068e0b5cca7b1687926b7a19667ddf8cdb7a11feeec6e13f253165fc13f9a8538d35c275263251a6143f12baec7d4b2c8022f7dfec006e19e2005adfa265b

      Download Submit
    • C:\Windows\Installer\MSIDC7A.tmp
      Filesize

      413KB

      MD5

      859c238b1aa6bbcdaaabe3e5d7f1dad6

      SHA1

      2a8c17ec585a39f6eba3207a08f865f2ef3c47bd

      SHA256

      d9bf99badaea49228e48c5428fbfe7ba9932254ea92fdcd7c27ac88833a65dae

      SHA512

      95c79d22c52c964cd631617d01c2b9cf4a507c3765554148eecba72695354669fed81fec088849256c62b006f175f552031895f48bf97e9d5ab4ba69eecc87e7

      Download Submit
    • C:\Windows\Installer\MSIDC7A.tmp
      Filesize

      413KB

      MD5

      859c238b1aa6bbcdaaabe3e5d7f1dad6

      SHA1

      2a8c17ec585a39f6eba3207a08f865f2ef3c47bd

      SHA256

      d9bf99badaea49228e48c5428fbfe7ba9932254ea92fdcd7c27ac88833a65dae

      SHA512

      95c79d22c52c964cd631617d01c2b9cf4a507c3765554148eecba72695354669fed81fec088849256c62b006f175f552031895f48bf97e9d5ab4ba69eecc87e7

      Download Submit
    • C:\Windows\Installer\MSIDC7A.tmp
      Filesize

      413KB

      MD5

      859c238b1aa6bbcdaaabe3e5d7f1dad6

      SHA1

      2a8c17ec585a39f6eba3207a08f865f2ef3c47bd

      SHA256

      d9bf99badaea49228e48c5428fbfe7ba9932254ea92fdcd7c27ac88833a65dae

      SHA512

      95c79d22c52c964cd631617d01c2b9cf4a507c3765554148eecba72695354669fed81fec088849256c62b006f175f552031895f48bf97e9d5ab4ba69eecc87e7

      Download Submit
    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.0MB

      MD5

      7eab3a43a1571f30a6155259a924fc64

      SHA1

      cbe2bc2880b8916897bb3bd6691f1e24662cd6a2

      SHA256

      ee42f322f553b2cc430b910fe29d46be73abe7f1bbe48c93825afde8b85a168b

      SHA512

      30f2ccd39196698d1b3c91500512a1d9e31723b6d986d123d6f11e20d10c0c17a833d459f59ff960de6d90eae913312f7acfcd7764e2b987f571a759e82a9619

      Download Submit
    • \??\Volume{d2616110-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a5a54a59-7d5d-4096-812b-2e7044bf87a5}_OnDiskSnapshotProp
      Filesize

      5KB

      MD5

      8cdd1721b7478c5f5b55781da6b1bd71

      SHA1

      e0de43c8a9af5c5223cb8df0e901b6b7e30e06de

      SHA256

      20010bd91129b315ae7714ef759bb747e9e7d21a72009c52490722046ee1d80e

      SHA512

      22733ba2d3068279f7fbcadf337165db3d7ffe66f3814838315f6f84fc5b3eb73bc381ed5b53dae1a527ff09c8cdf6b24f934c4f40d73cac17aaff8efe5ba2cd

      Download Submit
    • memory/1232-132-0x0000000000000000-mapping.dmp
      Download
    • memory/1276-133-0x0000000000000000-mapping.dmp
      Download
    • memory/4892-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4892-141-0x00007FF9D3130000-0x00007FF9D3BF1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4892-140-0x000001AB7EF30000-0x000001AB7EFA0000-memory.dmp
      Filesize

      448KB

      Download
    • memory/4892-147-0x00007FF9D3130000-0x00007FF9D3BF1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4892-139-0x000001AB66950000-0x000001AB6695A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4892-138-0x000001AB66970000-0x000001AB6699E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/5024-142-0x0000000000000000-mapping.dmp
      Download
    • memory/5024-145-0x0000000180000000-0x0000000180009000-memory.dmp
      Filesize

      36KB

      Download