Analysis
-
max time kernel
94s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2022 16:12
Static task
static1
Behavioral task
behavioral1
Sample
range_their.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
range_their.msi
Resource
win10v2004-20220812-en
General
-
Target
range_their.msi
-
Size
1.4MB
-
MD5
05b0f6ddd315e85d95038ade3d48f28a
-
SHA1
cb9aa99c2744b4fd1b755c9a3858df869645c24f
-
SHA256
4d47ae858358361c1620d6f0d083946944cffb4165ecc620522e6156d9009607
-
SHA512
44d1b19c4c5badb00622025e2426cb58ed2a084834ec3a3e49cefc7f64ce13dc9637e073af506faecc38eaa9a35c1b3886c3f87f08d41af4833771cdc4d8925b
-
SSDEEP
24576:wHL0kPEJnFbMyaRb8e1e96Pef7k0bNRjpB4dPURaH:wr0PJKyah/BPg1RaH
Malware Config
Extracted
icedid
3407323965
estrabornhot.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 78 3040 rundll32.exe 93 3040 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 2044 MsiExec.exe 3884 rundll32.exe 3040 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI6E5.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File created C:\Windows\Installer\e57068a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6E5.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e570688.msi msiexec.exe File opened for modification C:\Windows\Installer\e570688.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6E5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6E5.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI6E5.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI10CA.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 1456 msiexec.exe 1456 msiexec.exe 3040 rundll32.exe 3040 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 2488 msiexec.exe Token: SeIncreaseQuotaPrivilege 2488 msiexec.exe Token: SeSecurityPrivilege 1456 msiexec.exe Token: SeCreateTokenPrivilege 2488 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2488 msiexec.exe Token: SeLockMemoryPrivilege 2488 msiexec.exe Token: SeIncreaseQuotaPrivilege 2488 msiexec.exe Token: SeMachineAccountPrivilege 2488 msiexec.exe Token: SeTcbPrivilege 2488 msiexec.exe Token: SeSecurityPrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeLoadDriverPrivilege 2488 msiexec.exe Token: SeSystemProfilePrivilege 2488 msiexec.exe Token: SeSystemtimePrivilege 2488 msiexec.exe Token: SeProfSingleProcessPrivilege 2488 msiexec.exe Token: SeIncBasePriorityPrivilege 2488 msiexec.exe Token: SeCreatePagefilePrivilege 2488 msiexec.exe Token: SeCreatePermanentPrivilege 2488 msiexec.exe Token: SeBackupPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeShutdownPrivilege 2488 msiexec.exe Token: SeDebugPrivilege 2488 msiexec.exe Token: SeAuditPrivilege 2488 msiexec.exe Token: SeSystemEnvironmentPrivilege 2488 msiexec.exe Token: SeChangeNotifyPrivilege 2488 msiexec.exe Token: SeRemoteShutdownPrivilege 2488 msiexec.exe Token: SeUndockPrivilege 2488 msiexec.exe Token: SeSyncAgentPrivilege 2488 msiexec.exe Token: SeEnableDelegationPrivilege 2488 msiexec.exe Token: SeManageVolumePrivilege 2488 msiexec.exe Token: SeImpersonatePrivilege 2488 msiexec.exe Token: SeCreateGlobalPrivilege 2488 msiexec.exe Token: SeBackupPrivilege 4644 vssvc.exe Token: SeRestorePrivilege 4644 vssvc.exe Token: SeAuditPrivilege 4644 vssvc.exe Token: SeBackupPrivilege 1456 msiexec.exe Token: SeRestorePrivilege 1456 msiexec.exe Token: SeRestorePrivilege 1456 msiexec.exe Token: SeTakeOwnershipPrivilege 1456 msiexec.exe Token: SeRestorePrivilege 1456 msiexec.exe Token: SeTakeOwnershipPrivilege 1456 msiexec.exe Token: SeRestorePrivilege 1456 msiexec.exe Token: SeTakeOwnershipPrivilege 1456 msiexec.exe Token: SeRestorePrivilege 1456 msiexec.exe Token: SeTakeOwnershipPrivilege 1456 msiexec.exe Token: SeRestorePrivilege 1456 msiexec.exe Token: SeTakeOwnershipPrivilege 1456 msiexec.exe Token: SeRestorePrivilege 1456 msiexec.exe Token: SeTakeOwnershipPrivilege 1456 msiexec.exe Token: SeRestorePrivilege 1456 msiexec.exe Token: SeTakeOwnershipPrivilege 1456 msiexec.exe Token: SeRestorePrivilege 1456 msiexec.exe Token: SeTakeOwnershipPrivilege 1456 msiexec.exe Token: SeRestorePrivilege 1456 msiexec.exe Token: SeTakeOwnershipPrivilege 1456 msiexec.exe Token: SeRestorePrivilege 1456 msiexec.exe Token: SeTakeOwnershipPrivilege 1456 msiexec.exe Token: SeRestorePrivilege 1456 msiexec.exe Token: SeTakeOwnershipPrivilege 1456 msiexec.exe Token: SeRestorePrivilege 1456 msiexec.exe Token: SeTakeOwnershipPrivilege 1456 msiexec.exe Token: SeRestorePrivilege 1456 msiexec.exe Token: SeTakeOwnershipPrivilege 1456 msiexec.exe Token: SeRestorePrivilege 1456 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2488 msiexec.exe 2488 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 1456 wrote to memory of 2664 1456 msiexec.exe srtasks.exe PID 1456 wrote to memory of 2664 1456 msiexec.exe srtasks.exe PID 1456 wrote to memory of 2044 1456 msiexec.exe MsiExec.exe PID 1456 wrote to memory of 2044 1456 msiexec.exe MsiExec.exe PID 2044 wrote to memory of 3884 2044 MsiExec.exe rundll32.exe PID 2044 wrote to memory of 3884 2044 MsiExec.exe rundll32.exe PID 3884 wrote to memory of 3040 3884 rundll32.exe rundll32.exe PID 3884 wrote to memory of 3040 3884 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\range_their.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 8B0747697434788E0EEBB7990D579A882⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI6E5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240584546 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpA50.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA50.dllFilesize
970KB
MD5c27a1d6ebc0ea34edb928b84031b222e
SHA1803b1bb8dba1fde73300308171bbca4eae04ec08
SHA256f634d3e4fd753a64b5eab7a3d74700b84c8bc7ada35b3583550f9f61bf3e6dbd
SHA5126f128f9dd8fd71a580d07fd32a6131a3c1ea8dae8b87edcd5adbbe2c88777dff5a4ab7ba453e5fca74429b13d1f86b3064482db8cca41e846a3e8fac6fca60c7
-
C:\Users\Admin\AppData\Local\Temp\tmpA50.dllFilesize
970KB
MD5c27a1d6ebc0ea34edb928b84031b222e
SHA1803b1bb8dba1fde73300308171bbca4eae04ec08
SHA256f634d3e4fd753a64b5eab7a3d74700b84c8bc7ada35b3583550f9f61bf3e6dbd
SHA5126f128f9dd8fd71a580d07fd32a6131a3c1ea8dae8b87edcd5adbbe2c88777dff5a4ab7ba453e5fca74429b13d1f86b3064482db8cca41e846a3e8fac6fca60c7
-
C:\Windows\Installer\MSI6E5.tmpFilesize
413KB
MD57b045b56ba2b1ad587a45648e50e4975
SHA188dc8c279003919ba2610dd42a127eef562e88e7
SHA2567ba315650da329a02499ae02fad5e0aacd98964412b25bfce348af68cc06b692
SHA5129f99acfbb05eccead3486100ac86097384808c93b01bdfe964bfb91bd6fb931139650da3dab14dd3d0df50b5983c6b733e64205e0afada0452aa8acb79e71722
-
C:\Windows\Installer\MSI6E5.tmpFilesize
413KB
MD57b045b56ba2b1ad587a45648e50e4975
SHA188dc8c279003919ba2610dd42a127eef562e88e7
SHA2567ba315650da329a02499ae02fad5e0aacd98964412b25bfce348af68cc06b692
SHA5129f99acfbb05eccead3486100ac86097384808c93b01bdfe964bfb91bd6fb931139650da3dab14dd3d0df50b5983c6b733e64205e0afada0452aa8acb79e71722
-
C:\Windows\Installer\MSI6E5.tmpFilesize
413KB
MD57b045b56ba2b1ad587a45648e50e4975
SHA188dc8c279003919ba2610dd42a127eef562e88e7
SHA2567ba315650da329a02499ae02fad5e0aacd98964412b25bfce348af68cc06b692
SHA5129f99acfbb05eccead3486100ac86097384808c93b01bdfe964bfb91bd6fb931139650da3dab14dd3d0df50b5983c6b733e64205e0afada0452aa8acb79e71722
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5c586978d3cd0515a5de30f01c4449b7b
SHA11b2d84fc73209ff0ff11560833a9ceb79c036e51
SHA256c25f663f91dc89e4e18affaacff14c33517aca4ec4eaf326b6288395d6ca7545
SHA512e8bc183798059412d392d739020573c7eb02d24ff3d95c843b03ba0e60b4dac6a79ae9291b051585a241e47b318989d0f0beee373f10a70e8fc6bac5d6e97cf7
-
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ac12721c-a095-4d38-8041-5f72ab752fb7}_OnDiskSnapshotPropFilesize
5KB
MD59c4896f1170fb607bb8f59b74c3b73c9
SHA1ea267c283bc1f12cb8a8b7b208f58966e5a614b7
SHA256039ce097133e656dc91816f5a6cb7acb6a210713b9657b38abdc270f052a8d8f
SHA5127f4bcf3c7f7ed9c71c06679b82b0d12c15d2880094af131cdd85c7b686465618f31ce36314eb85543ea0ae3f32845ed203539fac01390e88d851097bfd533e82
-
memory/2044-136-0x0000000000000000-mapping.dmp
-
memory/2664-135-0x0000000000000000-mapping.dmp
-
memory/3040-149-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/3040-145-0x0000000000000000-mapping.dmp
-
memory/3884-139-0x0000000000000000-mapping.dmp
-
memory/3884-147-0x00007FFB3C6A0000-0x00007FFB3D161000-memory.dmpFilesize
10.8MB
-
memory/3884-144-0x00007FFB3C6A0000-0x00007FFB3D161000-memory.dmpFilesize
10.8MB
-
memory/3884-143-0x000002201B5C0000-0x000002201B630000-memory.dmpFilesize
448KB
-
memory/3884-142-0x00000220016D0000-0x00000220016DA000-memory.dmpFilesize
40KB
-
memory/3884-141-0x00000220016E0000-0x000002200170E000-memory.dmpFilesize
184KB