Analysis
-
max time kernel
92s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2022 17:56
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Win_16-12-2022_16-47-34.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Setup_Win_16-12-2022_16-47-34.msi
Resource
win10v2004-20221111-en
General
-
Target
Setup_Win_16-12-2022_16-47-34.msi
-
Size
1.6MB
-
MD5
392916da17e4ef4d8c88c778cf75db5a
-
SHA1
1996bc54416273a26bf938a713f9f35a5aae68a8
-
SHA256
e8b323a81faf2904459bb4a35bc8e2519850afc9f960ffd06a22f3e197185a9a
-
SHA512
4c554f32906b3ce50633628afac4a3984f8e5f4039f185d4d8d6d653aa35d6df2eae860d4a64a08e94c4cd4283d56e5118ab5447f2fa53b590ad1cde638b182d
-
SSDEEP
24576:7HL0HvwglMtNroES7S8asBci5cRMyBAUIqw5NOcH9iIDMNUEer0OVTm10ku2w:7r0YglMbr3SWpsWjRMMKIIDB/k
Malware Config
Extracted
icedid
1228806356
klepdrafooip.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 27 2752 rundll32.exe 41 2752 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 2636 MsiExec.exe 3744 rundll32.exe 2752 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Installer\e56d5a4.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSID6DD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID76A.tmp-\WixSharp.dll rundll32.exe File created C:\Windows\Installer\e56d5a6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID76A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID76A.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID76A.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\e56d5a4.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSID76A.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 4692 msiexec.exe 4692 msiexec.exe 2752 rundll32.exe 2752 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 3540 msiexec.exe Token: SeIncreaseQuotaPrivilege 3540 msiexec.exe Token: SeSecurityPrivilege 4692 msiexec.exe Token: SeCreateTokenPrivilege 3540 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3540 msiexec.exe Token: SeLockMemoryPrivilege 3540 msiexec.exe Token: SeIncreaseQuotaPrivilege 3540 msiexec.exe Token: SeMachineAccountPrivilege 3540 msiexec.exe Token: SeTcbPrivilege 3540 msiexec.exe Token: SeSecurityPrivilege 3540 msiexec.exe Token: SeTakeOwnershipPrivilege 3540 msiexec.exe Token: SeLoadDriverPrivilege 3540 msiexec.exe Token: SeSystemProfilePrivilege 3540 msiexec.exe Token: SeSystemtimePrivilege 3540 msiexec.exe Token: SeProfSingleProcessPrivilege 3540 msiexec.exe Token: SeIncBasePriorityPrivilege 3540 msiexec.exe Token: SeCreatePagefilePrivilege 3540 msiexec.exe Token: SeCreatePermanentPrivilege 3540 msiexec.exe Token: SeBackupPrivilege 3540 msiexec.exe Token: SeRestorePrivilege 3540 msiexec.exe Token: SeShutdownPrivilege 3540 msiexec.exe Token: SeDebugPrivilege 3540 msiexec.exe Token: SeAuditPrivilege 3540 msiexec.exe Token: SeSystemEnvironmentPrivilege 3540 msiexec.exe Token: SeChangeNotifyPrivilege 3540 msiexec.exe Token: SeRemoteShutdownPrivilege 3540 msiexec.exe Token: SeUndockPrivilege 3540 msiexec.exe Token: SeSyncAgentPrivilege 3540 msiexec.exe Token: SeEnableDelegationPrivilege 3540 msiexec.exe Token: SeManageVolumePrivilege 3540 msiexec.exe Token: SeImpersonatePrivilege 3540 msiexec.exe Token: SeCreateGlobalPrivilege 3540 msiexec.exe Token: SeBackupPrivilege 4924 vssvc.exe Token: SeRestorePrivilege 4924 vssvc.exe Token: SeAuditPrivilege 4924 vssvc.exe Token: SeBackupPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe Token: SeTakeOwnershipPrivilege 4692 msiexec.exe Token: SeRestorePrivilege 4692 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 3540 msiexec.exe 3540 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 4692 wrote to memory of 4276 4692 msiexec.exe srtasks.exe PID 4692 wrote to memory of 4276 4692 msiexec.exe srtasks.exe PID 4692 wrote to memory of 2636 4692 msiexec.exe MsiExec.exe PID 4692 wrote to memory of 2636 4692 msiexec.exe MsiExec.exe PID 2636 wrote to memory of 3744 2636 MsiExec.exe rundll32.exe PID 2636 wrote to memory of 3744 2636 MsiExec.exe rundll32.exe PID 3744 wrote to memory of 2752 3744 rundll32.exe rundll32.exe PID 3744 wrote to memory of 2752 3744 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_16-12-2022_16-47-34.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 0980C2872067E6990E05DAF7B62481DC2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSID76A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240572437 2 test.cs!X1X3X2.Y1yY.Z3z1Z3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSI6cf64a95.msi",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MSI6cf64a95.msiFilesize
1.2MB
MD52e39f1486c47b0ea7f3a03b01963c801
SHA139774ad2b8251f80647eac7df69aaca01a9d9502
SHA256cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d
SHA5120412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae
-
C:\Users\Admin\AppData\Local\MSI6cf64a95.msiFilesize
1.2MB
MD52e39f1486c47b0ea7f3a03b01963c801
SHA139774ad2b8251f80647eac7df69aaca01a9d9502
SHA256cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d
SHA5120412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae
-
C:\Windows\Installer\MSID76A.tmpFilesize
414KB
MD570df6dba7c06a4352493b4ba091f903b
SHA1867c42e5a34517c23a1fc0521657c8aa8c56ce73
SHA25628784b9fd983e17834d8026b8ea8fcdef49fb9fd0808be02ee6360a698dbdd0c
SHA51238c22e0079d7835b0004a0cee7179a376d21691d6940ebd7f62d3a5f047fd92bcae1c2190be0b8599feaf8078c981b460dd5b53d4f476ba726c7f0b4e2209850
-
C:\Windows\Installer\MSID76A.tmpFilesize
414KB
MD570df6dba7c06a4352493b4ba091f903b
SHA1867c42e5a34517c23a1fc0521657c8aa8c56ce73
SHA25628784b9fd983e17834d8026b8ea8fcdef49fb9fd0808be02ee6360a698dbdd0c
SHA51238c22e0079d7835b0004a0cee7179a376d21691d6940ebd7f62d3a5f047fd92bcae1c2190be0b8599feaf8078c981b460dd5b53d4f476ba726c7f0b4e2209850
-
C:\Windows\Installer\MSID76A.tmpFilesize
414KB
MD570df6dba7c06a4352493b4ba091f903b
SHA1867c42e5a34517c23a1fc0521657c8aa8c56ce73
SHA25628784b9fd983e17834d8026b8ea8fcdef49fb9fd0808be02ee6360a698dbdd0c
SHA51238c22e0079d7835b0004a0cee7179a376d21691d6940ebd7f62d3a5f047fd92bcae1c2190be0b8599feaf8078c981b460dd5b53d4f476ba726c7f0b4e2209850
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5f53e77e48aaf152a2fab266ecd60eaf2
SHA1202212d72aff9030995fcd7b7eca0921498ffd91
SHA256e4a8ced8e86e00ebf3b3fe9e6d48345ac9dcb32939a44c4f13a90844fce8e54d
SHA51212a02c8e0c7a89153d2e2068ef7dc7f194d1a10a1df418f36fef23dc8b434c832672d8f83e58ec49c55d004a3b922e29daac6a44017ff7680a5e65409f87be11
-
\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ebbc2651-66bd-4749-a49f-8ca6b997393f}_OnDiskSnapshotPropFilesize
5KB
MD5af1c4b19d5e37f23099f0a8257d4c2c2
SHA1012973bf142c2da033fe197c3577e5648833ac87
SHA256d9bd30333a7d5e32e4b31e440043b9e69076a309191c3099e6f51dae292c4d8e
SHA5122f3765a7b3388ce0084a30153847c9ea8aff1463a6508db54d5641975c1b4e5b1539dbb40d2ad278acc709b21061882e0e57e81d376e7f4ae171fa1694e43279
-
memory/2636-133-0x0000000000000000-mapping.dmp
-
memory/2752-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/2752-142-0x0000000000000000-mapping.dmp
-
memory/3744-141-0x000001FEDE3E0000-0x000001FEDEEA1000-memory.dmpFilesize
10.8MB
-
memory/3744-136-0x0000000000000000-mapping.dmp
-
memory/3744-140-0x000001FEDEFC0000-0x000001FEDF030000-memory.dmpFilesize
448KB
-
memory/3744-148-0x000001FEDE3E0000-0x000001FEDEEA1000-memory.dmpFilesize
10.8MB
-
memory/3744-139-0x000001FEDE2D0000-0x000001FEDE2DA000-memory.dmpFilesize
40KB
-
memory/3744-138-0x000001FEDE2E0000-0x000001FEDE30E000-memory.dmpFilesize
184KB
-
memory/4276-132-0x0000000000000000-mapping.dmp