Analysis
-
max time kernel
94s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2022 06:26
Static task
static1
Behavioral task
behavioral1
Sample
soon_even.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
soon_even.msi
Resource
win10v2004-20221111-en
General
-
Target
soon_even.msi
-
Size
1.4MB
-
MD5
e97dda068d2b38835208a41cadad4740
-
SHA1
67adf8ec8479b8132f7a999f7d7556481d584208
-
SHA256
ebd022c7fed376881b90383028b0a6b18bc68f068cab5b4dadc57690612952e7
-
SHA512
8da4eff36676d8ed7cf13c0da0a853e19d54eaeb3c3d3ee4cb7945e1db4582fbb879838f91660a6a53f88ac29c12c633e88d713a92152d8116ea3fe6ee0ff634
-
SSDEEP
24576:nHL0HPEJnFbMyaPb8e1e96Pef7k0bNRjpB4dPURaZ:nr0MJKyaT/BPg1RaZ
Malware Config
Extracted
icedid
3407323965
estrabornhot.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 47 2252 rundll32.exe 55 2252 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 3600 MsiExec.exe 508 rundll32.exe 2252 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIEC59.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEC59.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIEC59.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e56ebfb.msi msiexec.exe File opened for modification C:\Windows\Installer\e56ebfb.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF727.tmp msiexec.exe File created C:\Windows\Installer\e56ebfd.msi msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSIEC59.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIEC59.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b9e60d2ecf4958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b9e60d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809000b9e60d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 4640 msiexec.exe 4640 msiexec.exe 2252 rundll32.exe 2252 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1956 msiexec.exe Token: SeIncreaseQuotaPrivilege 1956 msiexec.exe Token: SeSecurityPrivilege 4640 msiexec.exe Token: SeCreateTokenPrivilege 1956 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1956 msiexec.exe Token: SeLockMemoryPrivilege 1956 msiexec.exe Token: SeIncreaseQuotaPrivilege 1956 msiexec.exe Token: SeMachineAccountPrivilege 1956 msiexec.exe Token: SeTcbPrivilege 1956 msiexec.exe Token: SeSecurityPrivilege 1956 msiexec.exe Token: SeTakeOwnershipPrivilege 1956 msiexec.exe Token: SeLoadDriverPrivilege 1956 msiexec.exe Token: SeSystemProfilePrivilege 1956 msiexec.exe Token: SeSystemtimePrivilege 1956 msiexec.exe Token: SeProfSingleProcessPrivilege 1956 msiexec.exe Token: SeIncBasePriorityPrivilege 1956 msiexec.exe Token: SeCreatePagefilePrivilege 1956 msiexec.exe Token: SeCreatePermanentPrivilege 1956 msiexec.exe Token: SeBackupPrivilege 1956 msiexec.exe Token: SeRestorePrivilege 1956 msiexec.exe Token: SeShutdownPrivilege 1956 msiexec.exe Token: SeDebugPrivilege 1956 msiexec.exe Token: SeAuditPrivilege 1956 msiexec.exe Token: SeSystemEnvironmentPrivilege 1956 msiexec.exe Token: SeChangeNotifyPrivilege 1956 msiexec.exe Token: SeRemoteShutdownPrivilege 1956 msiexec.exe Token: SeUndockPrivilege 1956 msiexec.exe Token: SeSyncAgentPrivilege 1956 msiexec.exe Token: SeEnableDelegationPrivilege 1956 msiexec.exe Token: SeManageVolumePrivilege 1956 msiexec.exe Token: SeImpersonatePrivilege 1956 msiexec.exe Token: SeCreateGlobalPrivilege 1956 msiexec.exe Token: SeBackupPrivilege 556 vssvc.exe Token: SeRestorePrivilege 556 vssvc.exe Token: SeAuditPrivilege 556 vssvc.exe Token: SeBackupPrivilege 4640 msiexec.exe Token: SeRestorePrivilege 4640 msiexec.exe Token: SeRestorePrivilege 4640 msiexec.exe Token: SeTakeOwnershipPrivilege 4640 msiexec.exe Token: SeRestorePrivilege 4640 msiexec.exe Token: SeTakeOwnershipPrivilege 4640 msiexec.exe Token: SeRestorePrivilege 4640 msiexec.exe Token: SeTakeOwnershipPrivilege 4640 msiexec.exe Token: SeRestorePrivilege 4640 msiexec.exe Token: SeTakeOwnershipPrivilege 4640 msiexec.exe Token: SeRestorePrivilege 4640 msiexec.exe Token: SeTakeOwnershipPrivilege 4640 msiexec.exe Token: SeRestorePrivilege 4640 msiexec.exe Token: SeTakeOwnershipPrivilege 4640 msiexec.exe Token: SeRestorePrivilege 4640 msiexec.exe Token: SeTakeOwnershipPrivilege 4640 msiexec.exe Token: SeRestorePrivilege 4640 msiexec.exe Token: SeTakeOwnershipPrivilege 4640 msiexec.exe Token: SeRestorePrivilege 4640 msiexec.exe Token: SeTakeOwnershipPrivilege 4640 msiexec.exe Token: SeRestorePrivilege 4640 msiexec.exe Token: SeTakeOwnershipPrivilege 4640 msiexec.exe Token: SeRestorePrivilege 4640 msiexec.exe Token: SeTakeOwnershipPrivilege 4640 msiexec.exe Token: SeRestorePrivilege 4640 msiexec.exe Token: SeTakeOwnershipPrivilege 4640 msiexec.exe Token: SeRestorePrivilege 4640 msiexec.exe Token: SeTakeOwnershipPrivilege 4640 msiexec.exe Token: SeRestorePrivilege 4640 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1956 msiexec.exe 1956 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 4640 wrote to memory of 4516 4640 msiexec.exe srtasks.exe PID 4640 wrote to memory of 4516 4640 msiexec.exe srtasks.exe PID 4640 wrote to memory of 3600 4640 msiexec.exe MsiExec.exe PID 4640 wrote to memory of 3600 4640 msiexec.exe MsiExec.exe PID 3600 wrote to memory of 508 3600 MsiExec.exe rundll32.exe PID 3600 wrote to memory of 508 3600 MsiExec.exe rundll32.exe PID 508 wrote to memory of 2252 508 rundll32.exe rundll32.exe PID 508 wrote to memory of 2252 508 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\soon_even.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 3E9A909C83BC41DA0A7842EEB17CDFA12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSIEC59.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240577718 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpF244.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF244.dllFilesize
970KB
MD52890e5f0cfc6002f91d3c6fe864fd13b
SHA1571bf0539400fcd6f803b10be2fa86782110fd2d
SHA25668a083503a2de1e5f5c4709eb1a294157b27616cbb4f7941cc46ed0a1c1166ee
SHA512157d02900d806b36ec78b14be84719788db3811d205e6e88c5cf279fbd0a03d63f131be26f34ece697d963671e15047a427a004ff54834d2d5969d419beb4883
-
C:\Users\Admin\AppData\Local\Temp\tmpF244.dllFilesize
970KB
MD52890e5f0cfc6002f91d3c6fe864fd13b
SHA1571bf0539400fcd6f803b10be2fa86782110fd2d
SHA25668a083503a2de1e5f5c4709eb1a294157b27616cbb4f7941cc46ed0a1c1166ee
SHA512157d02900d806b36ec78b14be84719788db3811d205e6e88c5cf279fbd0a03d63f131be26f34ece697d963671e15047a427a004ff54834d2d5969d419beb4883
-
C:\Windows\Installer\MSIEC59.tmpFilesize
413KB
MD5146e479aafa7af37336def7997189975
SHA196481247f7addef1c67b700a87a0815cc5318bfa
SHA256763e08bd69a79b127ff302e01d060e646ddcf66546eeced6e14ceedc3099ebfd
SHA512a868432cb77754b65bd498fb5f83751876a39f1ce65a4ea598376f9e6e67de6c86bf4d4ec87dbaa264237c2457a1ba14c2bb9efb2420c4484b6a6e17b0bee2ba
-
C:\Windows\Installer\MSIEC59.tmpFilesize
413KB
MD5146e479aafa7af37336def7997189975
SHA196481247f7addef1c67b700a87a0815cc5318bfa
SHA256763e08bd69a79b127ff302e01d060e646ddcf66546eeced6e14ceedc3099ebfd
SHA512a868432cb77754b65bd498fb5f83751876a39f1ce65a4ea598376f9e6e67de6c86bf4d4ec87dbaa264237c2457a1ba14c2bb9efb2420c4484b6a6e17b0bee2ba
-
C:\Windows\Installer\MSIEC59.tmpFilesize
413KB
MD5146e479aafa7af37336def7997189975
SHA196481247f7addef1c67b700a87a0815cc5318bfa
SHA256763e08bd69a79b127ff302e01d060e646ddcf66546eeced6e14ceedc3099ebfd
SHA512a868432cb77754b65bd498fb5f83751876a39f1ce65a4ea598376f9e6e67de6c86bf4d4ec87dbaa264237c2457a1ba14c2bb9efb2420c4484b6a6e17b0bee2ba
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD58c81473ead54051edcbe9e06ef90daaa
SHA1f2c21997b75a48d70b7682ed7d2b144f607c0d69
SHA25699cfcfd29e1842f63a6ff47c25ce6540dc7c95ae4cdddd25bf3518bff005cda3
SHA512513e04fd25f98196b5f9195587def4a74bac2b3da0e321d9b4184af605f21d8a355b5eae287614b69bb5a8e05ad21f1a11b8ebfc0a5357edc51cccccfe6280cd
-
\??\Volume{d2609e0b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f1e4c65d-e767-4fd0-82ef-c6da55c483b3}_OnDiskSnapshotPropFilesize
5KB
MD5915c08b3c93f4c8819260dce0b57fb93
SHA15a5b7b4490fc7f62ec8fb2ff33cde76e6c1437ab
SHA2564b6aab7932ef89ebbddfab79f4293cc33c26e2df9823522618a2663e9b3a8518
SHA5125f93aa710039b3ede72b8deb86ced07010d4e6c8eddec2d98f3e4b4a6f58bb9b118a8850ce874eb0f8703707044e33ae39b60888a3f90998d93e192c766f9f07
-
memory/508-140-0x000002157F840000-0x000002157F8B0000-memory.dmpFilesize
448KB
-
memory/508-141-0x00007FFC0F220000-0x00007FFC0FCE1000-memory.dmpFilesize
10.8MB
-
memory/508-139-0x0000021565DD0000-0x0000021565DDA000-memory.dmpFilesize
40KB
-
memory/508-145-0x00007FFC0F220000-0x00007FFC0FCE1000-memory.dmpFilesize
10.8MB
-
memory/508-138-0x0000021565E00000-0x0000021565E2E000-memory.dmpFilesize
184KB
-
memory/508-136-0x0000000000000000-mapping.dmp
-
memory/2252-142-0x0000000000000000-mapping.dmp
-
memory/2252-146-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/3600-133-0x0000000000000000-mapping.dmp
-
memory/4516-132-0x0000000000000000-mapping.dmp