Analysis
-
max time kernel
96s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2022 17:53
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Win_16-12-2022_16-47-34.msi
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Setup_Win_16-12-2022_16-47-34.msi
Resource
win10v2004-20220812-en
General
-
Target
Setup_Win_16-12-2022_16-47-34.msi
-
Size
1.6MB
-
MD5
392916da17e4ef4d8c88c778cf75db5a
-
SHA1
1996bc54416273a26bf938a713f9f35a5aae68a8
-
SHA256
e8b323a81faf2904459bb4a35bc8e2519850afc9f960ffd06a22f3e197185a9a
-
SHA512
4c554f32906b3ce50633628afac4a3984f8e5f4039f185d4d8d6d653aa35d6df2eae860d4a64a08e94c4cd4283d56e5118ab5447f2fa53b590ad1cde638b182d
-
SSDEEP
24576:7HL0HvwglMtNroES7S8asBci5cRMyBAUIqw5NOcH9iIDMNUEer0OVTm10ku2w:7r0YglMbr3SWpsWjRMMKIIDB/k
Malware Config
Extracted
icedid
1228806356
klepdrafooip.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 74 4788 rundll32.exe 95 4788 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 4864 MsiExec.exe 4992 rundll32.exe 4788 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSIFBDA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFBDA.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIFBDA.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\e56f997.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFB2D.tmp msiexec.exe File created C:\Windows\Installer\e56f999.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFBDA.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIFBDA.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\e56f997.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 704 msiexec.exe 704 msiexec.exe 4788 rundll32.exe 4788 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 2280 msiexec.exe Token: SeIncreaseQuotaPrivilege 2280 msiexec.exe Token: SeSecurityPrivilege 704 msiexec.exe Token: SeCreateTokenPrivilege 2280 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2280 msiexec.exe Token: SeLockMemoryPrivilege 2280 msiexec.exe Token: SeIncreaseQuotaPrivilege 2280 msiexec.exe Token: SeMachineAccountPrivilege 2280 msiexec.exe Token: SeTcbPrivilege 2280 msiexec.exe Token: SeSecurityPrivilege 2280 msiexec.exe Token: SeTakeOwnershipPrivilege 2280 msiexec.exe Token: SeLoadDriverPrivilege 2280 msiexec.exe Token: SeSystemProfilePrivilege 2280 msiexec.exe Token: SeSystemtimePrivilege 2280 msiexec.exe Token: SeProfSingleProcessPrivilege 2280 msiexec.exe Token: SeIncBasePriorityPrivilege 2280 msiexec.exe Token: SeCreatePagefilePrivilege 2280 msiexec.exe Token: SeCreatePermanentPrivilege 2280 msiexec.exe Token: SeBackupPrivilege 2280 msiexec.exe Token: SeRestorePrivilege 2280 msiexec.exe Token: SeShutdownPrivilege 2280 msiexec.exe Token: SeDebugPrivilege 2280 msiexec.exe Token: SeAuditPrivilege 2280 msiexec.exe Token: SeSystemEnvironmentPrivilege 2280 msiexec.exe Token: SeChangeNotifyPrivilege 2280 msiexec.exe Token: SeRemoteShutdownPrivilege 2280 msiexec.exe Token: SeUndockPrivilege 2280 msiexec.exe Token: SeSyncAgentPrivilege 2280 msiexec.exe Token: SeEnableDelegationPrivilege 2280 msiexec.exe Token: SeManageVolumePrivilege 2280 msiexec.exe Token: SeImpersonatePrivilege 2280 msiexec.exe Token: SeCreateGlobalPrivilege 2280 msiexec.exe Token: SeBackupPrivilege 204 vssvc.exe Token: SeRestorePrivilege 204 vssvc.exe Token: SeAuditPrivilege 204 vssvc.exe Token: SeBackupPrivilege 704 msiexec.exe Token: SeRestorePrivilege 704 msiexec.exe Token: SeRestorePrivilege 704 msiexec.exe Token: SeTakeOwnershipPrivilege 704 msiexec.exe Token: SeRestorePrivilege 704 msiexec.exe Token: SeTakeOwnershipPrivilege 704 msiexec.exe Token: SeRestorePrivilege 704 msiexec.exe Token: SeTakeOwnershipPrivilege 704 msiexec.exe Token: SeRestorePrivilege 704 msiexec.exe Token: SeTakeOwnershipPrivilege 704 msiexec.exe Token: SeRestorePrivilege 704 msiexec.exe Token: SeTakeOwnershipPrivilege 704 msiexec.exe Token: SeRestorePrivilege 704 msiexec.exe Token: SeTakeOwnershipPrivilege 704 msiexec.exe Token: SeRestorePrivilege 704 msiexec.exe Token: SeTakeOwnershipPrivilege 704 msiexec.exe Token: SeRestorePrivilege 704 msiexec.exe Token: SeTakeOwnershipPrivilege 704 msiexec.exe Token: SeRestorePrivilege 704 msiexec.exe Token: SeTakeOwnershipPrivilege 704 msiexec.exe Token: SeRestorePrivilege 704 msiexec.exe Token: SeTakeOwnershipPrivilege 704 msiexec.exe Token: SeRestorePrivilege 704 msiexec.exe Token: SeTakeOwnershipPrivilege 704 msiexec.exe Token: SeRestorePrivilege 704 msiexec.exe Token: SeTakeOwnershipPrivilege 704 msiexec.exe Token: SeRestorePrivilege 704 msiexec.exe Token: SeTakeOwnershipPrivilege 704 msiexec.exe Token: SeRestorePrivilege 704 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2280 msiexec.exe 2280 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 704 wrote to memory of 868 704 msiexec.exe srtasks.exe PID 704 wrote to memory of 868 704 msiexec.exe srtasks.exe PID 704 wrote to memory of 4864 704 msiexec.exe MsiExec.exe PID 704 wrote to memory of 4864 704 msiexec.exe MsiExec.exe PID 4864 wrote to memory of 4992 4864 MsiExec.exe rundll32.exe PID 4864 wrote to memory of 4992 4864 MsiExec.exe rundll32.exe PID 4992 wrote to memory of 4788 4992 rundll32.exe rundll32.exe PID 4992 wrote to memory of 4788 4992 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_16-12-2022_16-47-34.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 5040113E803CCA7313A477972BD8C2432⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSIFBDA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240581718 2 test.cs!X1X3X2.Y1yY.Z3z1Z3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSIea16e36c.msi",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MSIea16e36c.msiFilesize
1.2MB
MD52e39f1486c47b0ea7f3a03b01963c801
SHA139774ad2b8251f80647eac7df69aaca01a9d9502
SHA256cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d
SHA5120412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae
-
C:\Users\Admin\AppData\Local\MSIea16e36c.msiFilesize
1.2MB
MD52e39f1486c47b0ea7f3a03b01963c801
SHA139774ad2b8251f80647eac7df69aaca01a9d9502
SHA256cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d
SHA5120412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae
-
C:\Windows\Installer\MSIFBDA.tmpFilesize
414KB
MD570df6dba7c06a4352493b4ba091f903b
SHA1867c42e5a34517c23a1fc0521657c8aa8c56ce73
SHA25628784b9fd983e17834d8026b8ea8fcdef49fb9fd0808be02ee6360a698dbdd0c
SHA51238c22e0079d7835b0004a0cee7179a376d21691d6940ebd7f62d3a5f047fd92bcae1c2190be0b8599feaf8078c981b460dd5b53d4f476ba726c7f0b4e2209850
-
C:\Windows\Installer\MSIFBDA.tmpFilesize
414KB
MD570df6dba7c06a4352493b4ba091f903b
SHA1867c42e5a34517c23a1fc0521657c8aa8c56ce73
SHA25628784b9fd983e17834d8026b8ea8fcdef49fb9fd0808be02ee6360a698dbdd0c
SHA51238c22e0079d7835b0004a0cee7179a376d21691d6940ebd7f62d3a5f047fd92bcae1c2190be0b8599feaf8078c981b460dd5b53d4f476ba726c7f0b4e2209850
-
C:\Windows\Installer\MSIFBDA.tmpFilesize
414KB
MD570df6dba7c06a4352493b4ba091f903b
SHA1867c42e5a34517c23a1fc0521657c8aa8c56ce73
SHA25628784b9fd983e17834d8026b8ea8fcdef49fb9fd0808be02ee6360a698dbdd0c
SHA51238c22e0079d7835b0004a0cee7179a376d21691d6940ebd7f62d3a5f047fd92bcae1c2190be0b8599feaf8078c981b460dd5b53d4f476ba726c7f0b4e2209850
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5d94aa059ea78d46889ddf808a87fb04c
SHA1b22a9b59238bddf399699baedacfafd7909b5da5
SHA2567683fa48155e68c0eb0a2f27bccd2a9d333c0fedeef4fbd198f7fa3b92289e44
SHA5123222d745cad825b0e936e6d5c6385ee9dce8cd914f775c9e335b000f0ece08bffd384de700e773df2952f7e66cbe5e52d519fe699fcf610eb5fb0e26645bdc73
-
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f6288126-5700-4c9e-bef5-d79f2ce8711d}_OnDiskSnapshotPropFilesize
5KB
MD51e6d5c9b60f49e0b3a44c9fae3295c1f
SHA1db5c984571241644d59f7abe6b83c1a5e55998b0
SHA25620d2a839435059ecf0ff4de937b304ab48756ce06efc1d9a233ca5f6aeca657e
SHA5121c35ee327eb339a623d4a22377ff274189e814ded68b420c6b52b86b164b8e41bffaa65477dfe593ab0875f9a9244091375ec48fa7abf47c458743daf26a94d8
-
memory/868-132-0x0000000000000000-mapping.dmp
-
memory/4788-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/4788-142-0x0000000000000000-mapping.dmp
-
memory/4864-133-0x0000000000000000-mapping.dmp
-
memory/4992-136-0x0000000000000000-mapping.dmp
-
memory/4992-141-0x00007FFA06610000-0x00007FFA070D1000-memory.dmpFilesize
10.8MB
-
memory/4992-140-0x000002A94EFC0000-0x000002A94F030000-memory.dmpFilesize
448KB
-
memory/4992-146-0x00007FFA06610000-0x00007FFA070D1000-memory.dmpFilesize
10.8MB
-
memory/4992-139-0x000002A936A30000-0x000002A936A3A000-memory.dmpFilesize
40KB
-
memory/4992-138-0x000002A936A50000-0x000002A936A7E000-memory.dmpFilesize
184KB