Analysis
-
max time kernel
93s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2022 17:53
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Win_16-12-2022_16-47-34.msi
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Setup_Win_16-12-2022_16-47-34.msi
Resource
win10v2004-20221111-en
General
-
Target
Setup_Win_16-12-2022_16-47-34.msi
-
Size
1.6MB
-
MD5
392916da17e4ef4d8c88c778cf75db5a
-
SHA1
1996bc54416273a26bf938a713f9f35a5aae68a8
-
SHA256
e8b323a81faf2904459bb4a35bc8e2519850afc9f960ffd06a22f3e197185a9a
-
SHA512
4c554f32906b3ce50633628afac4a3984f8e5f4039f185d4d8d6d653aa35d6df2eae860d4a64a08e94c4cd4283d56e5118ab5447f2fa53b590ad1cde638b182d
-
SSDEEP
24576:7HL0HvwglMtNroES7S8asBci5cRMyBAUIqw5NOcH9iIDMNUEer0OVTm10ku2w:7r0YglMbr3SWpsWjRMMKIIDB/k
Malware Config
Extracted
icedid
1228806356
klepdrafooip.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 31 4392 rundll32.exe 41 4392 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 360 MsiExec.exe 3596 rundll32.exe 4392 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File created C:\Windows\Installer\e56d7a8.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSID9AC.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\e56d7a8.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSID8E0.tmp msiexec.exe File created C:\Windows\Installer\e56d7aa.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID9AC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID9AC.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID9AC.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSID9AC.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 4692 msiexec.exe 4692 msiexec.exe 4392 rundll32.exe 4392 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 3540 msiexec.exe Token: SeIncreaseQuotaPrivilege 3540 msiexec.exe Token: SeSecurityPrivilege 4692 msiexec.exe Token: SeCreateTokenPrivilege 3540 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3540 msiexec.exe Token: SeLockMemoryPrivilege 3540 msiexec.exe Token: SeIncreaseQuotaPrivilege 3540 msiexec.exe Token: SeMachineAccountPrivilege 3540 msiexec.exe Token: SeTcbPrivilege 3540 msiexec.exe Token: SeSecurityPrivilege 3540 msiexec.exe Token: SeTakeOwnershipPrivilege 3540 msiexec.exe Token: SeLoadDriverPrivilege 3540 msiexec.exe Token: SeSystemProfilePrivilege 3540 msiexec.exe Token: SeSystemtimePrivilege 3540 msiexec.exe Token: SeProfSingleProcessPrivilege 3540 msiexec.exe Token: SeIncBasePriorityPrivilege 3540 msiexec.exe Token: SeCreatePagefilePrivilege 3540 msiexec.exe Token: SeCreatePermanentPrivilege 3540 msiexec.exe Token: SeBackupPrivilege 3540 msiexec.exe Token: SeRestorePrivilege 3540 msiexec.exe Token: SeShutdownPrivilege 3540 msiexec.exe Token: SeDebugPrivilege 3540 msiexec.exe Token: SeAuditPrivilege 3540 msiexec.exe Token: SeSystemEnvironmentPrivilege 3540 msiexec.exe Token: SeChangeNotifyPrivilege 3540 msiexec.exe Token: SeRemoteShutdownPrivilege 3540 msiexec.exe Token: SeUndockPrivilege 3540 msiexec.exe Token: SeSyncAgentPrivilege 3540 msiexec.exe Token: SeEnableDelegationPrivilege 3540 msiexec.exe Token: SeManageVolumePrivilege 3540 msiexec.exe Token: SeImpersonatePrivilege 3540 msiexec.exe Token: SeCreateGlobalPrivilege 3540 msiexec.exe Token: SeBackupPrivilege 4924 vssvc.exe Token: SeRestorePrivilege 4924 vssvc.exe Token: SeAuditPrivilege 4924 vssvc.exe Token: SeBackupPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 3540 msiexec.exe 3540 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 4692 wrote to memory of 3768 4692 msiexec.exe srtasks.exe PID 4692 wrote to memory of 3768 4692 msiexec.exe srtasks.exe PID 4692 wrote to memory of 360 4692 msiexec.exe MsiExec.exe PID 4692 wrote to memory of 360 4692 msiexec.exe MsiExec.exe PID 360 wrote to memory of 3596 360 MsiExec.exe rundll32.exe PID 360 wrote to memory of 3596 360 MsiExec.exe rundll32.exe PID 3596 wrote to memory of 4392 3596 rundll32.exe rundll32.exe PID 3596 wrote to memory of 4392 3596 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_16-12-2022_16-47-34.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding B0F6C2852D380E43D9A52AB8C00512F12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSID9AC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240572937 2 test.cs!X1X3X2.Y1yY.Z3z1Z3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSIf983d1ed.msi",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MSIf983d1ed.msiFilesize
1.2MB
MD52e39f1486c47b0ea7f3a03b01963c801
SHA139774ad2b8251f80647eac7df69aaca01a9d9502
SHA256cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d
SHA5120412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae
-
C:\Users\Admin\AppData\Local\MSIf983d1ed.msiFilesize
1.2MB
MD52e39f1486c47b0ea7f3a03b01963c801
SHA139774ad2b8251f80647eac7df69aaca01a9d9502
SHA256cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d
SHA5120412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae
-
C:\Windows\Installer\MSID9AC.tmpFilesize
414KB
MD570df6dba7c06a4352493b4ba091f903b
SHA1867c42e5a34517c23a1fc0521657c8aa8c56ce73
SHA25628784b9fd983e17834d8026b8ea8fcdef49fb9fd0808be02ee6360a698dbdd0c
SHA51238c22e0079d7835b0004a0cee7179a376d21691d6940ebd7f62d3a5f047fd92bcae1c2190be0b8599feaf8078c981b460dd5b53d4f476ba726c7f0b4e2209850
-
C:\Windows\Installer\MSID9AC.tmpFilesize
414KB
MD570df6dba7c06a4352493b4ba091f903b
SHA1867c42e5a34517c23a1fc0521657c8aa8c56ce73
SHA25628784b9fd983e17834d8026b8ea8fcdef49fb9fd0808be02ee6360a698dbdd0c
SHA51238c22e0079d7835b0004a0cee7179a376d21691d6940ebd7f62d3a5f047fd92bcae1c2190be0b8599feaf8078c981b460dd5b53d4f476ba726c7f0b4e2209850
-
C:\Windows\Installer\MSID9AC.tmpFilesize
414KB
MD570df6dba7c06a4352493b4ba091f903b
SHA1867c42e5a34517c23a1fc0521657c8aa8c56ce73
SHA25628784b9fd983e17834d8026b8ea8fcdef49fb9fd0808be02ee6360a698dbdd0c
SHA51238c22e0079d7835b0004a0cee7179a376d21691d6940ebd7f62d3a5f047fd92bcae1c2190be0b8599feaf8078c981b460dd5b53d4f476ba726c7f0b4e2209850
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5593fdf55ef4adc3818ea9cad17f242d1
SHA13693d79ea713a50d519cf691d1d65fb538a1643f
SHA256067d8bc3b7d11b52ac4897025c7c7c292be2f8622699649332b28df94232eced
SHA512f3ef6ab9bd6cabff79e6af1b338587336b22a332d30db09db12c8fd91409692f94f7ebf83b5e5ae3cc3f6d06282c77a13f8f5b6ccde0594dfe42c66c7c32aee0
-
\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{89b843c4-7208-4f47-b393-e9f505a9cc0e}_OnDiskSnapshotPropFilesize
5KB
MD5465283cd6fd689af77092441e38aebb0
SHA1f5cbdb51e07cc5d45fb570d011f045f811fd620d
SHA2563029cff0a59793b244100dfb04e9396ae48ec3d0b2fde78006daadb4566c87c5
SHA51267464ef9213ec168d8a1dc655c76c3b631754be83b46e0b2e5e1d9b597ff1321f34cc9a1f2270fa38c6664dba222b7977500b4dbaa878d929702537b7c5f1b4c
-
memory/360-133-0x0000000000000000-mapping.dmp
-
memory/3596-140-0x000001E4F3AF0000-0x000001E4F3B60000-memory.dmpFilesize
448KB
-
memory/3596-141-0x000001E4F2A60000-0x000001E4F3521000-memory.dmpFilesize
10.8MB
-
memory/3596-144-0x000001E4F2A60000-0x000001E4F3521000-memory.dmpFilesize
10.8MB
-
memory/3596-139-0x000001E4F2950000-0x000001E4F295A000-memory.dmpFilesize
40KB
-
memory/3596-138-0x000001E4F36C0000-0x000001E4F36EE000-memory.dmpFilesize
184KB
-
memory/3596-136-0x0000000000000000-mapping.dmp
-
memory/3768-132-0x0000000000000000-mapping.dmp
-
memory/4392-142-0x0000000000000000-mapping.dmp
-
memory/4392-146-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB