Analysis
-
max time kernel
95s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2022 20:38
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Win_14-12-2022_20-25-57.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Setup_Win_14-12-2022_20-25-57.msi
Resource
win10v2004-20221111-en
General
-
Target
Setup_Win_14-12-2022_20-25-57.msi
-
Size
1.9MB
-
MD5
1108c1add09244f8615d6cc6539f9602
-
SHA1
a0c1bd208e3dfc0b928d6b06b3a7bd9fba43b15b
-
SHA256
b2675ac7e8e728ea6c6a23aa67f264e80913387c978252e43fbd3cbf41278f63
-
SHA512
21ba422893566afdbe2c0343d178d4c8bf7f752d1caf3e7c7203ed3eb192b64138b5d74265f53b4dae39952c48d464ec057e47706aa45438ad91a0aab9a96398
-
SSDEEP
49152:9r0nHD5a4/oyGe8EsuRMEl73hXNGzchfzYZppUQ:9r0jMDLshh
Malware Config
Extracted
icedid
1002085315
klepdrafooip.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 31 4720 rundll32.exe 37 4720 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 2380 MsiExec.exe 2020 rundll32.exe 4720 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File created C:\Windows\Installer\e56f1f8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF4A7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF4A7.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIF4A7.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIF4A7.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIF3DA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF4A7.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\e56f1f6.msi msiexec.exe File opened for modification C:\Windows\Installer\e56f1f6.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000106161d2e731958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000106161d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900106161d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 2960 msiexec.exe 2960 msiexec.exe 4720 rundll32.exe 4720 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1764 msiexec.exe Token: SeIncreaseQuotaPrivilege 1764 msiexec.exe Token: SeSecurityPrivilege 2960 msiexec.exe Token: SeCreateTokenPrivilege 1764 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1764 msiexec.exe Token: SeLockMemoryPrivilege 1764 msiexec.exe Token: SeIncreaseQuotaPrivilege 1764 msiexec.exe Token: SeMachineAccountPrivilege 1764 msiexec.exe Token: SeTcbPrivilege 1764 msiexec.exe Token: SeSecurityPrivilege 1764 msiexec.exe Token: SeTakeOwnershipPrivilege 1764 msiexec.exe Token: SeLoadDriverPrivilege 1764 msiexec.exe Token: SeSystemProfilePrivilege 1764 msiexec.exe Token: SeSystemtimePrivilege 1764 msiexec.exe Token: SeProfSingleProcessPrivilege 1764 msiexec.exe Token: SeIncBasePriorityPrivilege 1764 msiexec.exe Token: SeCreatePagefilePrivilege 1764 msiexec.exe Token: SeCreatePermanentPrivilege 1764 msiexec.exe Token: SeBackupPrivilege 1764 msiexec.exe Token: SeRestorePrivilege 1764 msiexec.exe Token: SeShutdownPrivilege 1764 msiexec.exe Token: SeDebugPrivilege 1764 msiexec.exe Token: SeAuditPrivilege 1764 msiexec.exe Token: SeSystemEnvironmentPrivilege 1764 msiexec.exe Token: SeChangeNotifyPrivilege 1764 msiexec.exe Token: SeRemoteShutdownPrivilege 1764 msiexec.exe Token: SeUndockPrivilege 1764 msiexec.exe Token: SeSyncAgentPrivilege 1764 msiexec.exe Token: SeEnableDelegationPrivilege 1764 msiexec.exe Token: SeManageVolumePrivilege 1764 msiexec.exe Token: SeImpersonatePrivilege 1764 msiexec.exe Token: SeCreateGlobalPrivilege 1764 msiexec.exe Token: SeBackupPrivilege 4640 vssvc.exe Token: SeRestorePrivilege 4640 vssvc.exe Token: SeAuditPrivilege 4640 vssvc.exe Token: SeBackupPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1764 msiexec.exe 1764 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 2960 wrote to memory of 32 2960 msiexec.exe srtasks.exe PID 2960 wrote to memory of 32 2960 msiexec.exe srtasks.exe PID 2960 wrote to memory of 2380 2960 msiexec.exe MsiExec.exe PID 2960 wrote to memory of 2380 2960 msiexec.exe MsiExec.exe PID 2380 wrote to memory of 2020 2380 MsiExec.exe rundll32.exe PID 2380 wrote to memory of 2020 2380 MsiExec.exe rundll32.exe PID 2020 wrote to memory of 4720 2020 rundll32.exe rundll32.exe PID 2020 wrote to memory of 4720 2020 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_14-12-2022_20-25-57.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 5EA4D5F24918D39E69147F34A12DBC9F2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSIF4A7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240579828 2 test.cs!XXX.YyY.ZzZ3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSI19c4b987.mst",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MSI19c4b987.mstFilesize
1.4MB
MD52b2deb165147b50f557b05b8ae31f877
SHA110f6d61f1bdcf416ab18ce72d6665d87db59ac22
SHA256098b0237143e4c7c646df424915297ed66915869d94107cea4d7b72399021680
SHA51287ba907efcab68e370869d1d41c9b022b2c7e81eec8f08092e5f1a8bc6b2ad3869459687fb79f42a665841dcb2741542c86de34f3395983e0e7d47afce794f69
-
C:\Users\Admin\AppData\Local\MSI19c4b987.mstFilesize
1.4MB
MD52b2deb165147b50f557b05b8ae31f877
SHA110f6d61f1bdcf416ab18ce72d6665d87db59ac22
SHA256098b0237143e4c7c646df424915297ed66915869d94107cea4d7b72399021680
SHA51287ba907efcab68e370869d1d41c9b022b2c7e81eec8f08092e5f1a8bc6b2ad3869459687fb79f42a665841dcb2741542c86de34f3395983e0e7d47afce794f69
-
C:\Windows\Installer\MSIF4A7.tmpFilesize
414KB
MD5ce78c41d4670bf1187f5cc5a67778d67
SHA165efdc8ab9fa58cb7ffda52a305fec8b6e314da4
SHA256fcb072760b433026e2703cb87782a0e90ef099837582b09dd6c11b1443635d19
SHA51218897491a0b60cfcfa25167f2426ed979bae091b861c75b6b7a32289c09575c4030467006332afca6b83c12fcae44f6d17c060c57c3697d9f0792fe8b61c8232
-
C:\Windows\Installer\MSIF4A7.tmpFilesize
414KB
MD5ce78c41d4670bf1187f5cc5a67778d67
SHA165efdc8ab9fa58cb7ffda52a305fec8b6e314da4
SHA256fcb072760b433026e2703cb87782a0e90ef099837582b09dd6c11b1443635d19
SHA51218897491a0b60cfcfa25167f2426ed979bae091b861c75b6b7a32289c09575c4030467006332afca6b83c12fcae44f6d17c060c57c3697d9f0792fe8b61c8232
-
C:\Windows\Installer\MSIF4A7.tmpFilesize
414KB
MD5ce78c41d4670bf1187f5cc5a67778d67
SHA165efdc8ab9fa58cb7ffda52a305fec8b6e314da4
SHA256fcb072760b433026e2703cb87782a0e90ef099837582b09dd6c11b1443635d19
SHA51218897491a0b60cfcfa25167f2426ed979bae091b861c75b6b7a32289c09575c4030467006332afca6b83c12fcae44f6d17c060c57c3697d9f0792fe8b61c8232
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD55ecef1325a688f6871d3b41fc5fdfb23
SHA153cb4f9af8e1dcae51f98070d9bcbf85c77447ee
SHA2565f64491674e8fed3a673df55165426098d25d60229e2f8877928c03835b3ef5b
SHA512b6c4021d2885a98e25333305b5022d3594318768767cbd86b383fbe210a929cd298884b7e957804a2436ea4b635437b1a3360f557ca7e15289c924a50cdb4ca4
-
\??\Volume{d2616110-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a5760c76-3e05-4a0c-8125-02c10dc9de22}_OnDiskSnapshotPropFilesize
5KB
MD53755aad4a436546bc5d6ee6a298a743b
SHA1bf61bc709e0bc374103c270644eae154abe9de35
SHA2563d65a11835a17d99009b1f523816d305996a6d4fc34afb4602bf76b1553632d0
SHA5125b91d88e00a46ee4eb8203c5fbdd5bf212f548ebecfe608125530936cce29fdf3adf3507e6de17d64577253bff2378a2a040df34f954eeaa91328ca8a6a0be55
-
memory/32-132-0x0000000000000000-mapping.dmp
-
memory/2020-136-0x0000000000000000-mapping.dmp
-
memory/2020-141-0x00007FF89F9E0000-0x00007FF8A04A1000-memory.dmpFilesize
10.8MB
-
memory/2020-140-0x00000243DEC30000-0x00000243DECA0000-memory.dmpFilesize
448KB
-
memory/2020-139-0x00000243C5A30000-0x00000243C5A3A000-memory.dmpFilesize
40KB
-
memory/2020-145-0x00007FF89F9E0000-0x00007FF8A04A1000-memory.dmpFilesize
10.8MB
-
memory/2020-138-0x00000243C5BA0000-0x00000243C5BCE000-memory.dmpFilesize
184KB
-
memory/2380-133-0x0000000000000000-mapping.dmp
-
memory/4720-142-0x0000000000000000-mapping.dmp
-
memory/4720-146-0x000001E5C0AF0000-0x000001E5C0AF9000-memory.dmpFilesize
36KB