Analysis
-
max time kernel
113s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2022 20:20
Static task
static1
Behavioral task
behavioral1
Sample
soon_even.msi
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
soon_even.msi
Resource
win10v2004-20221111-en
General
-
Target
soon_even.msi
-
Size
1.4MB
-
MD5
e97dda068d2b38835208a41cadad4740
-
SHA1
67adf8ec8479b8132f7a999f7d7556481d584208
-
SHA256
ebd022c7fed376881b90383028b0a6b18bc68f068cab5b4dadc57690612952e7
-
SHA512
8da4eff36676d8ed7cf13c0da0a853e19d54eaeb3c3d3ee4cb7945e1db4582fbb879838f91660a6a53f88ac29c12c633e88d713a92152d8116ea3fe6ee0ff634
-
SSDEEP
24576:nHL0HPEJnFbMyaPb8e1e96Pef7k0bNRjpB4dPURaZ:nr0MJKyaT/BPg1RaZ
Malware Config
Extracted
icedid
3407323965
estrabornhot.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 56 1744 rundll32.exe 74 1744 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 4576 MsiExec.exe 5020 rundll32.exe 1744 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File created C:\Windows\Installer\e5736cf.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI374C.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSI4046.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI374C.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\e5736cf.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI374C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI374C.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI374C.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\e5736d1.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 5048 msiexec.exe 5048 msiexec.exe 1744 rundll32.exe 1744 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4500 msiexec.exe Token: SeIncreaseQuotaPrivilege 4500 msiexec.exe Token: SeSecurityPrivilege 5048 msiexec.exe Token: SeCreateTokenPrivilege 4500 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4500 msiexec.exe Token: SeLockMemoryPrivilege 4500 msiexec.exe Token: SeIncreaseQuotaPrivilege 4500 msiexec.exe Token: SeMachineAccountPrivilege 4500 msiexec.exe Token: SeTcbPrivilege 4500 msiexec.exe Token: SeSecurityPrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeLoadDriverPrivilege 4500 msiexec.exe Token: SeSystemProfilePrivilege 4500 msiexec.exe Token: SeSystemtimePrivilege 4500 msiexec.exe Token: SeProfSingleProcessPrivilege 4500 msiexec.exe Token: SeIncBasePriorityPrivilege 4500 msiexec.exe Token: SeCreatePagefilePrivilege 4500 msiexec.exe Token: SeCreatePermanentPrivilege 4500 msiexec.exe Token: SeBackupPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeShutdownPrivilege 4500 msiexec.exe Token: SeDebugPrivilege 4500 msiexec.exe Token: SeAuditPrivilege 4500 msiexec.exe Token: SeSystemEnvironmentPrivilege 4500 msiexec.exe Token: SeChangeNotifyPrivilege 4500 msiexec.exe Token: SeRemoteShutdownPrivilege 4500 msiexec.exe Token: SeUndockPrivilege 4500 msiexec.exe Token: SeSyncAgentPrivilege 4500 msiexec.exe Token: SeEnableDelegationPrivilege 4500 msiexec.exe Token: SeManageVolumePrivilege 4500 msiexec.exe Token: SeImpersonatePrivilege 4500 msiexec.exe Token: SeCreateGlobalPrivilege 4500 msiexec.exe Token: SeBackupPrivilege 2028 vssvc.exe Token: SeRestorePrivilege 2028 vssvc.exe Token: SeAuditPrivilege 2028 vssvc.exe Token: SeBackupPrivilege 5048 msiexec.exe Token: SeRestorePrivilege 5048 msiexec.exe Token: SeRestorePrivilege 5048 msiexec.exe Token: SeTakeOwnershipPrivilege 5048 msiexec.exe Token: SeRestorePrivilege 5048 msiexec.exe Token: SeTakeOwnershipPrivilege 5048 msiexec.exe Token: SeRestorePrivilege 5048 msiexec.exe Token: SeTakeOwnershipPrivilege 5048 msiexec.exe Token: SeRestorePrivilege 5048 msiexec.exe Token: SeTakeOwnershipPrivilege 5048 msiexec.exe Token: SeRestorePrivilege 5048 msiexec.exe Token: SeTakeOwnershipPrivilege 5048 msiexec.exe Token: SeRestorePrivilege 5048 msiexec.exe Token: SeTakeOwnershipPrivilege 5048 msiexec.exe Token: SeRestorePrivilege 5048 msiexec.exe Token: SeTakeOwnershipPrivilege 5048 msiexec.exe Token: SeRestorePrivilege 5048 msiexec.exe Token: SeTakeOwnershipPrivilege 5048 msiexec.exe Token: SeRestorePrivilege 5048 msiexec.exe Token: SeTakeOwnershipPrivilege 5048 msiexec.exe Token: SeRestorePrivilege 5048 msiexec.exe Token: SeTakeOwnershipPrivilege 5048 msiexec.exe Token: SeRestorePrivilege 5048 msiexec.exe Token: SeTakeOwnershipPrivilege 5048 msiexec.exe Token: SeRestorePrivilege 5048 msiexec.exe Token: SeTakeOwnershipPrivilege 5048 msiexec.exe Token: SeRestorePrivilege 5048 msiexec.exe Token: SeTakeOwnershipPrivilege 5048 msiexec.exe Token: SeRestorePrivilege 5048 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4500 msiexec.exe 4500 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 5048 wrote to memory of 4984 5048 msiexec.exe srtasks.exe PID 5048 wrote to memory of 4984 5048 msiexec.exe srtasks.exe PID 5048 wrote to memory of 4576 5048 msiexec.exe MsiExec.exe PID 5048 wrote to memory of 4576 5048 msiexec.exe MsiExec.exe PID 4576 wrote to memory of 5020 4576 MsiExec.exe rundll32.exe PID 4576 wrote to memory of 5020 4576 MsiExec.exe rundll32.exe PID 5020 wrote to memory of 1744 5020 rundll32.exe rundll32.exe PID 5020 wrote to memory of 1744 5020 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\soon_even.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 0ED9F87EE60BEA45795962B41DBE56D92⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI374C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240596921 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp3B82.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3B82.dllFilesize
970KB
MD52890e5f0cfc6002f91d3c6fe864fd13b
SHA1571bf0539400fcd6f803b10be2fa86782110fd2d
SHA25668a083503a2de1e5f5c4709eb1a294157b27616cbb4f7941cc46ed0a1c1166ee
SHA512157d02900d806b36ec78b14be84719788db3811d205e6e88c5cf279fbd0a03d63f131be26f34ece697d963671e15047a427a004ff54834d2d5969d419beb4883
-
C:\Users\Admin\AppData\Local\Temp\tmp3B82.dllFilesize
970KB
MD52890e5f0cfc6002f91d3c6fe864fd13b
SHA1571bf0539400fcd6f803b10be2fa86782110fd2d
SHA25668a083503a2de1e5f5c4709eb1a294157b27616cbb4f7941cc46ed0a1c1166ee
SHA512157d02900d806b36ec78b14be84719788db3811d205e6e88c5cf279fbd0a03d63f131be26f34ece697d963671e15047a427a004ff54834d2d5969d419beb4883
-
C:\Windows\Installer\MSI374C.tmpFilesize
413KB
MD5146e479aafa7af37336def7997189975
SHA196481247f7addef1c67b700a87a0815cc5318bfa
SHA256763e08bd69a79b127ff302e01d060e646ddcf66546eeced6e14ceedc3099ebfd
SHA512a868432cb77754b65bd498fb5f83751876a39f1ce65a4ea598376f9e6e67de6c86bf4d4ec87dbaa264237c2457a1ba14c2bb9efb2420c4484b6a6e17b0bee2ba
-
C:\Windows\Installer\MSI374C.tmpFilesize
413KB
MD5146e479aafa7af37336def7997189975
SHA196481247f7addef1c67b700a87a0815cc5318bfa
SHA256763e08bd69a79b127ff302e01d060e646ddcf66546eeced6e14ceedc3099ebfd
SHA512a868432cb77754b65bd498fb5f83751876a39f1ce65a4ea598376f9e6e67de6c86bf4d4ec87dbaa264237c2457a1ba14c2bb9efb2420c4484b6a6e17b0bee2ba
-
C:\Windows\Installer\MSI374C.tmpFilesize
413KB
MD5146e479aafa7af37336def7997189975
SHA196481247f7addef1c67b700a87a0815cc5318bfa
SHA256763e08bd69a79b127ff302e01d060e646ddcf66546eeced6e14ceedc3099ebfd
SHA512a868432cb77754b65bd498fb5f83751876a39f1ce65a4ea598376f9e6e67de6c86bf4d4ec87dbaa264237c2457a1ba14c2bb9efb2420c4484b6a6e17b0bee2ba
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5eb6fe57ac84c023debeb17626c6a191a
SHA13421ea91d54dc3afa5b86046c60862ce16014039
SHA2563b967ac5b5c7267b0f591ae11b26dd234e01418122e15c833a6b7917e4df1827
SHA5128fda65c27365a728fe5c10ccbacc68d3ac578f614c861ec0d9f69cdd510e3721d6545020f1297d7fdddcb7a067abdd255c29373bee3b6bad6e765825e2f2dc51
-
\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9f6d89a1-1415-463c-869f-4b50b021bdb3}_OnDiskSnapshotPropFilesize
5KB
MD571d4ead3560b5fb0a9223c14021453cc
SHA1a631ce2ea9761e9e3f60122ff48a651437af09e6
SHA256f44917b1d8d4777cac37ec8f2d272dddd0ebe6c57a96f155521e1136166e36eb
SHA512a055f8d570ffb780ee5d318ce71af3d8bf26e116117b73c5537f19067e6c46877c705601353da97f98417df24f2098330798e22d80846f15b58c60c2042265bb
-
memory/1744-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/1744-142-0x0000000000000000-mapping.dmp
-
memory/4576-133-0x0000000000000000-mapping.dmp
-
memory/4984-132-0x0000000000000000-mapping.dmp
-
memory/5020-139-0x000001FC642B0000-0x000001FC642BA000-memory.dmpFilesize
40KB
-
memory/5020-136-0x0000000000000000-mapping.dmp
-
memory/5020-146-0x00007FFBCCB40000-0x00007FFBCD601000-memory.dmpFilesize
10.8MB
-
memory/5020-141-0x00007FFBCCB40000-0x00007FFBCD601000-memory.dmpFilesize
10.8MB
-
memory/5020-140-0x000001FC7E8C0000-0x000001FC7E930000-memory.dmpFilesize
448KB
-
memory/5020-138-0x000001FC642E0000-0x000001FC6430E000-memory.dmpFilesize
184KB