Analysis
-
max time kernel
94s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2022 18:13
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Win_16-12-2022_16-44-02.msi
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Setup_Win_16-12-2022_16-44-02.msi
Resource
win10v2004-20221111-en
General
-
Target
Setup_Win_16-12-2022_16-44-02.msi
-
Size
1.6MB
-
MD5
3c73ad35ebf42f6a1d86ccc38c9064bf
-
SHA1
373b8c8703d210309dbf5c0e16273291cf178410
-
SHA256
eae56a04a2d97fa21725cdada3dbf537c299eb8fa86a71e186c92ac42194cfa6
-
SHA512
c92b5b7196197f84b457d8c23964612c907ae72bdeaf4489d95caee2b0c3c0216717905db0194827341922d19f7fb31531a8a7caf79ec6e603c6ea3040b6ff13
-
SSDEEP
24576:aHL0EvwglMtNroES7S8asBci5cRMyBAUIqw5NOcH9iIDMNUEer0OVTm10ku2w:ar03glMbr3SWpsWjRMMKIIDB/k
Malware Config
Extracted
icedid
1228806356
klepdrafooip.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 32 2804 rundll32.exe 43 2804 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 1216 MsiExec.exe 880 rundll32.exe 2804 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File created C:\Windows\Installer\e56ca1b.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSICC00.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICC00.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSICC00.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\e56ca1b.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSICB73.tmp msiexec.exe File created C:\Windows\Installer\e56ca1d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSICC00.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSICC00.tmp-\WixSharp.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 1132 msiexec.exe 1132 msiexec.exe 2804 rundll32.exe 2804 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1988 msiexec.exe Token: SeIncreaseQuotaPrivilege 1988 msiexec.exe Token: SeSecurityPrivilege 1132 msiexec.exe Token: SeCreateTokenPrivilege 1988 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1988 msiexec.exe Token: SeLockMemoryPrivilege 1988 msiexec.exe Token: SeIncreaseQuotaPrivilege 1988 msiexec.exe Token: SeMachineAccountPrivilege 1988 msiexec.exe Token: SeTcbPrivilege 1988 msiexec.exe Token: SeSecurityPrivilege 1988 msiexec.exe Token: SeTakeOwnershipPrivilege 1988 msiexec.exe Token: SeLoadDriverPrivilege 1988 msiexec.exe Token: SeSystemProfilePrivilege 1988 msiexec.exe Token: SeSystemtimePrivilege 1988 msiexec.exe Token: SeProfSingleProcessPrivilege 1988 msiexec.exe Token: SeIncBasePriorityPrivilege 1988 msiexec.exe Token: SeCreatePagefilePrivilege 1988 msiexec.exe Token: SeCreatePermanentPrivilege 1988 msiexec.exe Token: SeBackupPrivilege 1988 msiexec.exe Token: SeRestorePrivilege 1988 msiexec.exe Token: SeShutdownPrivilege 1988 msiexec.exe Token: SeDebugPrivilege 1988 msiexec.exe Token: SeAuditPrivilege 1988 msiexec.exe Token: SeSystemEnvironmentPrivilege 1988 msiexec.exe Token: SeChangeNotifyPrivilege 1988 msiexec.exe Token: SeRemoteShutdownPrivilege 1988 msiexec.exe Token: SeUndockPrivilege 1988 msiexec.exe Token: SeSyncAgentPrivilege 1988 msiexec.exe Token: SeEnableDelegationPrivilege 1988 msiexec.exe Token: SeManageVolumePrivilege 1988 msiexec.exe Token: SeImpersonatePrivilege 1988 msiexec.exe Token: SeCreateGlobalPrivilege 1988 msiexec.exe Token: SeBackupPrivilege 4632 vssvc.exe Token: SeRestorePrivilege 4632 vssvc.exe Token: SeAuditPrivilege 4632 vssvc.exe Token: SeBackupPrivilege 1132 msiexec.exe Token: SeRestorePrivilege 1132 msiexec.exe Token: SeRestorePrivilege 1132 msiexec.exe Token: SeTakeOwnershipPrivilege 1132 msiexec.exe Token: SeRestorePrivilege 1132 msiexec.exe Token: SeTakeOwnershipPrivilege 1132 msiexec.exe Token: SeRestorePrivilege 1132 msiexec.exe Token: SeTakeOwnershipPrivilege 1132 msiexec.exe Token: SeRestorePrivilege 1132 msiexec.exe Token: SeTakeOwnershipPrivilege 1132 msiexec.exe Token: SeRestorePrivilege 1132 msiexec.exe Token: SeTakeOwnershipPrivilege 1132 msiexec.exe Token: SeRestorePrivilege 1132 msiexec.exe Token: SeTakeOwnershipPrivilege 1132 msiexec.exe Token: SeRestorePrivilege 1132 msiexec.exe Token: SeTakeOwnershipPrivilege 1132 msiexec.exe Token: SeRestorePrivilege 1132 msiexec.exe Token: SeTakeOwnershipPrivilege 1132 msiexec.exe Token: SeRestorePrivilege 1132 msiexec.exe Token: SeTakeOwnershipPrivilege 1132 msiexec.exe Token: SeRestorePrivilege 1132 msiexec.exe Token: SeTakeOwnershipPrivilege 1132 msiexec.exe Token: SeRestorePrivilege 1132 msiexec.exe Token: SeTakeOwnershipPrivilege 1132 msiexec.exe Token: SeRestorePrivilege 1132 msiexec.exe Token: SeTakeOwnershipPrivilege 1132 msiexec.exe Token: SeRestorePrivilege 1132 msiexec.exe Token: SeTakeOwnershipPrivilege 1132 msiexec.exe Token: SeRestorePrivilege 1132 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1988 msiexec.exe 1988 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 1132 wrote to memory of 2584 1132 msiexec.exe srtasks.exe PID 1132 wrote to memory of 2584 1132 msiexec.exe srtasks.exe PID 1132 wrote to memory of 1216 1132 msiexec.exe MsiExec.exe PID 1132 wrote to memory of 1216 1132 msiexec.exe MsiExec.exe PID 1216 wrote to memory of 880 1216 MsiExec.exe rundll32.exe PID 1216 wrote to memory of 880 1216 MsiExec.exe rundll32.exe PID 880 wrote to memory of 2804 880 rundll32.exe rundll32.exe PID 880 wrote to memory of 2804 880 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_16-12-2022_16-44-02.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding FEF10BA23FA91752537442108A7EB6EE2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSICC00.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240569484 2 test.cs!X1X3X2.Y1yY.Z3z1Z3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSIde89e1f9.msi",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MSIde89e1f9.msiFilesize
1.2MB
MD52e39f1486c47b0ea7f3a03b01963c801
SHA139774ad2b8251f80647eac7df69aaca01a9d9502
SHA256cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d
SHA5120412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae
-
C:\Users\Admin\AppData\Local\MSIde89e1f9.msiFilesize
1.2MB
MD52e39f1486c47b0ea7f3a03b01963c801
SHA139774ad2b8251f80647eac7df69aaca01a9d9502
SHA256cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d
SHA5120412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae
-
C:\Windows\Installer\MSICC00.tmpFilesize
414KB
MD5fe611fb385e6e26410bd25fb112810d6
SHA1e76a1f6842d7c5137539732ca54604f3c033d802
SHA25609d882fed272c3648bf53a54ffc6c96103c0668ef05c69603ba3c1e045339cb7
SHA512850978d5846781f50c35711395c5ab7c354cdd21f69fca73b4f6a7150de4e8385a494b62b56fc23b1ed4eff4721ced8a797297fd254baa58d197f36d7eb9e92d
-
C:\Windows\Installer\MSICC00.tmpFilesize
414KB
MD5fe611fb385e6e26410bd25fb112810d6
SHA1e76a1f6842d7c5137539732ca54604f3c033d802
SHA25609d882fed272c3648bf53a54ffc6c96103c0668ef05c69603ba3c1e045339cb7
SHA512850978d5846781f50c35711395c5ab7c354cdd21f69fca73b4f6a7150de4e8385a494b62b56fc23b1ed4eff4721ced8a797297fd254baa58d197f36d7eb9e92d
-
C:\Windows\Installer\MSICC00.tmpFilesize
414KB
MD5fe611fb385e6e26410bd25fb112810d6
SHA1e76a1f6842d7c5137539732ca54604f3c033d802
SHA25609d882fed272c3648bf53a54ffc6c96103c0668ef05c69603ba3c1e045339cb7
SHA512850978d5846781f50c35711395c5ab7c354cdd21f69fca73b4f6a7150de4e8385a494b62b56fc23b1ed4eff4721ced8a797297fd254baa58d197f36d7eb9e92d
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5fbd34bcd5f4cab0cb59fb68d4370ad0b
SHA1d6a047dd8e35e7f2a628f6281c19af1d0df60221
SHA25648105b69d4b2ddacc8a76e073367688e45f302fb095262e931f29376d0189c32
SHA512c89eef4c4d5d36a29b5528ed241ee028c556082743afbadff1435c1b675ca439ea9873339c417d618937ea1732624dfb4597c02168de28f38d4d431d3028b6ed
-
\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a512bc84-48d1-4fc8-95d5-e6442b6d8084}_OnDiskSnapshotPropFilesize
5KB
MD5ff06122424422d029fe12044c7db52c3
SHA18059683359c0ad793f1eedc288ccffdc1500efc0
SHA25671c415a7ddb1210bfa98eeee45ae4831874d2fd9ea55a3684aa279e28c43a7f5
SHA5127e78a54ca8a9692301f01fa05b410c0c9595523a6253c42241848a9cb2d429598e8f0b005cd44bf53743ce08b509308fe1c7ffb8c8b920a408c48b74ff5c1fb4
-
memory/880-138-0x000002B5AB6F0000-0x000002B5AB71E000-memory.dmpFilesize
184KB
-
memory/880-139-0x000002B5AB6E0000-0x000002B5AB6EA000-memory.dmpFilesize
40KB
-
memory/880-140-0x000002B5C3F20000-0x000002B5C3F90000-memory.dmpFilesize
448KB
-
memory/880-141-0x00007FF895790000-0x00007FF896251000-memory.dmpFilesize
10.8MB
-
memory/880-136-0x0000000000000000-mapping.dmp
-
memory/880-148-0x00007FF895790000-0x00007FF896251000-memory.dmpFilesize
10.8MB
-
memory/1216-133-0x0000000000000000-mapping.dmp
-
memory/2584-132-0x0000000000000000-mapping.dmp
-
memory/2804-142-0x0000000000000000-mapping.dmp
-
memory/2804-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB