Overview

overview

10

Static

static

Setup_Win_...57.msi

windows7-x64

10

Setup_Win_...57.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-12-2022 20:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup_Win_14-12-2022_20-25-57.msi

  • Size

    1.9MB

  • MD5

    1108c1add09244f8615d6cc6539f9602

  • SHA1

    a0c1bd208e3dfc0b928d6b06b3a7bd9fba43b15b

  • SHA256

    b2675ac7e8e728ea6c6a23aa67f264e80913387c978252e43fbd3cbf41278f63

  • SHA512

    21ba422893566afdbe2c0343d178d4c8bf7f752d1caf3e7c7203ed3eb192b64138b5d74265f53b4dae39952c48d464ec057e47706aa45438ad91a0aab9a96398

  • SSDEEP

    49152:9r0nHD5a4/oyGe8EsuRMEl73hXNGzchfzYZppUQ:9r0jMDLshh

Score
10/10
icedid1002085315bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

1002085315

C2

klepdrafooip.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_14-12-2022_20-25-57.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1764
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:32
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 5EA4D5F24918D39E69147F34A12DBC9F
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Windows\system32\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIF4A7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240579828 2 test.cs!XXX.YyY.ZzZ
          3⤵
          • Checks computer location settings
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2020
          • C:\Windows\System32\rundll32.exe
            "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSI19c4b987.mst",init
            4⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:4720
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4640

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    2
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\MSI19c4b987.mst
      Filesize

      1.4MB

      MD5

      2b2deb165147b50f557b05b8ae31f877

      SHA1

      10f6d61f1bdcf416ab18ce72d6665d87db59ac22

      SHA256

      098b0237143e4c7c646df424915297ed66915869d94107cea4d7b72399021680

      SHA512

      87ba907efcab68e370869d1d41c9b022b2c7e81eec8f08092e5f1a8bc6b2ad3869459687fb79f42a665841dcb2741542c86de34f3395983e0e7d47afce794f69

      Download Submit
    • C:\Users\Admin\AppData\Local\MSI19c4b987.mst
      Filesize

      1.4MB

      MD5

      2b2deb165147b50f557b05b8ae31f877

      SHA1

      10f6d61f1bdcf416ab18ce72d6665d87db59ac22

      SHA256

      098b0237143e4c7c646df424915297ed66915869d94107cea4d7b72399021680

      SHA512

      87ba907efcab68e370869d1d41c9b022b2c7e81eec8f08092e5f1a8bc6b2ad3869459687fb79f42a665841dcb2741542c86de34f3395983e0e7d47afce794f69

      Download Submit
    • C:\Windows\Installer\MSIF4A7.tmp
      Filesize

      414KB

      MD5

      ce78c41d4670bf1187f5cc5a67778d67

      SHA1

      65efdc8ab9fa58cb7ffda52a305fec8b6e314da4

      SHA256

      fcb072760b433026e2703cb87782a0e90ef099837582b09dd6c11b1443635d19

      SHA512

      18897491a0b60cfcfa25167f2426ed979bae091b861c75b6b7a32289c09575c4030467006332afca6b83c12fcae44f6d17c060c57c3697d9f0792fe8b61c8232

      Download Submit
    • C:\Windows\Installer\MSIF4A7.tmp
      Filesize

      414KB

      MD5

      ce78c41d4670bf1187f5cc5a67778d67

      SHA1

      65efdc8ab9fa58cb7ffda52a305fec8b6e314da4

      SHA256

      fcb072760b433026e2703cb87782a0e90ef099837582b09dd6c11b1443635d19

      SHA512

      18897491a0b60cfcfa25167f2426ed979bae091b861c75b6b7a32289c09575c4030467006332afca6b83c12fcae44f6d17c060c57c3697d9f0792fe8b61c8232

      Download Submit
    • C:\Windows\Installer\MSIF4A7.tmp
      Filesize

      414KB

      MD5

      ce78c41d4670bf1187f5cc5a67778d67

      SHA1

      65efdc8ab9fa58cb7ffda52a305fec8b6e314da4

      SHA256

      fcb072760b433026e2703cb87782a0e90ef099837582b09dd6c11b1443635d19

      SHA512

      18897491a0b60cfcfa25167f2426ed979bae091b861c75b6b7a32289c09575c4030467006332afca6b83c12fcae44f6d17c060c57c3697d9f0792fe8b61c8232

      Download Submit
    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.0MB

      MD5

      5ecef1325a688f6871d3b41fc5fdfb23

      SHA1

      53cb4f9af8e1dcae51f98070d9bcbf85c77447ee

      SHA256

      5f64491674e8fed3a673df55165426098d25d60229e2f8877928c03835b3ef5b

      SHA512

      b6c4021d2885a98e25333305b5022d3594318768767cbd86b383fbe210a929cd298884b7e957804a2436ea4b635437b1a3360f557ca7e15289c924a50cdb4ca4

      Download Submit
    • \??\Volume{d2616110-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a5760c76-3e05-4a0c-8125-02c10dc9de22}_OnDiskSnapshotProp
      Filesize

      5KB

      MD5

      3755aad4a436546bc5d6ee6a298a743b

      SHA1

      bf61bc709e0bc374103c270644eae154abe9de35

      SHA256

      3d65a11835a17d99009b1f523816d305996a6d4fc34afb4602bf76b1553632d0

      SHA512

      5b91d88e00a46ee4eb8203c5fbdd5bf212f548ebecfe608125530936cce29fdf3adf3507e6de17d64577253bff2378a2a040df34f954eeaa91328ca8a6a0be55

      Download Submit
    • memory/32-132-0x0000000000000000-mapping.dmp
      Download
    • memory/2020-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2020-141-0x00007FF89F9E0000-0x00007FF8A04A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2020-140-0x00000243DEC30000-0x00000243DECA0000-memory.dmp
      Filesize

      448KB

      Download
    • memory/2020-139-0x00000243C5A30000-0x00000243C5A3A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2020-145-0x00007FF89F9E0000-0x00007FF8A04A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2020-138-0x00000243C5BA0000-0x00000243C5BCE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2380-133-0x0000000000000000-mapping.dmp
      Download
    • memory/4720-142-0x0000000000000000-mapping.dmp
      Download
    • memory/4720-146-0x000001E5C0AF0000-0x000001E5C0AF9000-memory.dmp
      Filesize

      36KB

      Download