Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2022 22:44
Static task
static1
Behavioral task
behavioral1
Sample
soon.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
soon.msi
Resource
win10v2004-20220901-en
General
-
Target
soon.msi
-
Size
1.4MB
-
MD5
303b59a952508e0bb83dce110f531ce1
-
SHA1
be036b4b707553694268f876d97c071782c09ce7
-
SHA256
05adcd44c155d9bde8704c6f886889127769f6f3a5b1af23d78e95d9cd402afb
-
SHA512
ce3a9161e8aeb3ef46a5ba04c273aaa44ea977f5a6c90c9696c95c5efc5ce8a960c381944984881da8c51bb2435e207bfa00d9e2902de9a59cc153a1dc1f5901
-
SSDEEP
24576:GHL0mPEJnFbMyaNb8e1e96Pef7k0bNRjpB4dPURa8:Gr05JKya1/BPg1Ra8
Malware Config
Extracted
icedid
3407323965
estrabornhot.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 27 4304 rundll32.exe 45 4304 rundll32.exe 47 4304 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 5100 MsiExec.exe 1604 rundll32.exe 4304 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Installer\e56d4aa.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSID566.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID566.tmp-\WixSharp.dll rundll32.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File created C:\Windows\Installer\e56d4ac.msi msiexec.exe File created C:\Windows\Installer\e56d4aa.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID566.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID566.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSID566.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIDEFC.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000045e03923b2b2bc3e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000045e039230000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090045e03923000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exemsiexec.exepid process 4304 rundll32.exe 4304 rundll32.exe 3972 msiexec.exe 3972 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1572 msiexec.exe Token: SeIncreaseQuotaPrivilege 1572 msiexec.exe Token: SeSecurityPrivilege 3972 msiexec.exe Token: SeCreateTokenPrivilege 1572 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1572 msiexec.exe Token: SeLockMemoryPrivilege 1572 msiexec.exe Token: SeIncreaseQuotaPrivilege 1572 msiexec.exe Token: SeMachineAccountPrivilege 1572 msiexec.exe Token: SeTcbPrivilege 1572 msiexec.exe Token: SeSecurityPrivilege 1572 msiexec.exe Token: SeTakeOwnershipPrivilege 1572 msiexec.exe Token: SeLoadDriverPrivilege 1572 msiexec.exe Token: SeSystemProfilePrivilege 1572 msiexec.exe Token: SeSystemtimePrivilege 1572 msiexec.exe Token: SeProfSingleProcessPrivilege 1572 msiexec.exe Token: SeIncBasePriorityPrivilege 1572 msiexec.exe Token: SeCreatePagefilePrivilege 1572 msiexec.exe Token: SeCreatePermanentPrivilege 1572 msiexec.exe Token: SeBackupPrivilege 1572 msiexec.exe Token: SeRestorePrivilege 1572 msiexec.exe Token: SeShutdownPrivilege 1572 msiexec.exe Token: SeDebugPrivilege 1572 msiexec.exe Token: SeAuditPrivilege 1572 msiexec.exe Token: SeSystemEnvironmentPrivilege 1572 msiexec.exe Token: SeChangeNotifyPrivilege 1572 msiexec.exe Token: SeRemoteShutdownPrivilege 1572 msiexec.exe Token: SeUndockPrivilege 1572 msiexec.exe Token: SeSyncAgentPrivilege 1572 msiexec.exe Token: SeEnableDelegationPrivilege 1572 msiexec.exe Token: SeManageVolumePrivilege 1572 msiexec.exe Token: SeImpersonatePrivilege 1572 msiexec.exe Token: SeCreateGlobalPrivilege 1572 msiexec.exe Token: SeBackupPrivilege 2868 vssvc.exe Token: SeRestorePrivilege 2868 vssvc.exe Token: SeAuditPrivilege 2868 vssvc.exe Token: SeBackupPrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe Token: SeTakeOwnershipPrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe Token: SeTakeOwnershipPrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe Token: SeTakeOwnershipPrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe Token: SeTakeOwnershipPrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe Token: SeTakeOwnershipPrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe Token: SeTakeOwnershipPrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe Token: SeTakeOwnershipPrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe Token: SeTakeOwnershipPrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe Token: SeTakeOwnershipPrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe Token: SeTakeOwnershipPrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe Token: SeTakeOwnershipPrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe Token: SeTakeOwnershipPrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe Token: SeTakeOwnershipPrivilege 3972 msiexec.exe Token: SeRestorePrivilege 3972 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1572 msiexec.exe 1572 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 3972 wrote to memory of 1040 3972 msiexec.exe srtasks.exe PID 3972 wrote to memory of 1040 3972 msiexec.exe srtasks.exe PID 3972 wrote to memory of 5100 3972 msiexec.exe MsiExec.exe PID 3972 wrote to memory of 5100 3972 msiexec.exe MsiExec.exe PID 5100 wrote to memory of 1604 5100 MsiExec.exe rundll32.exe PID 5100 wrote to memory of 1604 5100 MsiExec.exe rundll32.exe PID 1604 wrote to memory of 4304 1604 rundll32.exe rundll32.exe PID 1604 wrote to memory of 4304 1604 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\soon.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding F0BE999A2F1279233C1D7B342EFA862C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSID566.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240571859 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpD9BB.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD9BB.dllFilesize
970KB
MD505aa16a3e9947bc310f807fdf5cb9b7e
SHA187f620a6908ff9b070ff8c59e05fc8ef33097478
SHA256484588c9c4bf409f86a8c4e86fa4b3f2881978e178a438c5fcee6e18b3e22eb3
SHA5122bcbbf34b66c91b10decfa98e78178e35bebea4d56619fe40f83b026490c83595072ea0fff0e07a2ddebc2cc578bba1c4f4270491274c4602fa4fbc780e695dd
-
C:\Users\Admin\AppData\Local\Temp\tmpD9BB.dllFilesize
970KB
MD505aa16a3e9947bc310f807fdf5cb9b7e
SHA187f620a6908ff9b070ff8c59e05fc8ef33097478
SHA256484588c9c4bf409f86a8c4e86fa4b3f2881978e178a438c5fcee6e18b3e22eb3
SHA5122bcbbf34b66c91b10decfa98e78178e35bebea4d56619fe40f83b026490c83595072ea0fff0e07a2ddebc2cc578bba1c4f4270491274c4602fa4fbc780e695dd
-
C:\Windows\Installer\MSID566.tmpFilesize
413KB
MD58a4e220f25eb2af7e4284d094ddc2b53
SHA15038bf05502caf9f0f49d9e9845efa6693874a57
SHA256ee9279ded747c2744f77bcf7e11cbf56837160ad7ad4a077554f66728fd005d7
SHA51253ed4978d8ea8b2768475fa1f8c1bfa4a36b95ca356e31745aa57bef81ba80975ace043d443fabecafe61513f45e321eb8c6bb3d6b9c0e68a535f180eccd9905
-
C:\Windows\Installer\MSID566.tmpFilesize
413KB
MD58a4e220f25eb2af7e4284d094ddc2b53
SHA15038bf05502caf9f0f49d9e9845efa6693874a57
SHA256ee9279ded747c2744f77bcf7e11cbf56837160ad7ad4a077554f66728fd005d7
SHA51253ed4978d8ea8b2768475fa1f8c1bfa4a36b95ca356e31745aa57bef81ba80975ace043d443fabecafe61513f45e321eb8c6bb3d6b9c0e68a535f180eccd9905
-
C:\Windows\Installer\MSID566.tmpFilesize
413KB
MD58a4e220f25eb2af7e4284d094ddc2b53
SHA15038bf05502caf9f0f49d9e9845efa6693874a57
SHA256ee9279ded747c2744f77bcf7e11cbf56837160ad7ad4a077554f66728fd005d7
SHA51253ed4978d8ea8b2768475fa1f8c1bfa4a36b95ca356e31745aa57bef81ba80975ace043d443fabecafe61513f45e321eb8c6bb3d6b9c0e68a535f180eccd9905
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
11.8MB
MD55b5fbff7bfe29741575332882128730d
SHA1645ab6406c3fb7f87a971918e742ff9ceb83a0c5
SHA256e8fb8366615a980aec1e17ad8dd2931e428489a5002efa375cd7b9214c45e42e
SHA51237823a441755488ee5fdb099d344f0f313d0e1c5fcd56c87150ffcf62f57cfaab94b23b75679d818a48d4dc1b3d944aba02786479ca3cde5c2f1ecfbf038aa48
-
\??\Volume{2339e045-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{85a3600d-203f-43a6-8f2c-f6052df63fdc}_OnDiskSnapshotPropFilesize
5KB
MD57e46399e2dae5a7433b19b3992c29b5b
SHA15a7115e9f57eff72c76c933abff29b7adbc29fa7
SHA256c2ddbbe89af8cbc3f88d11d2eb46887a644af557f1b954ad5ee4ce4407d3d886
SHA5128683c82c947d305333029f36d22230eb215b57c24bfd3e769cb0ef47c1f9a82ec0e696f77844f2353e86ce467b510a032c7e7b9ea157f02bbb76d2aa73f22927
-
memory/1040-132-0x0000000000000000-mapping.dmp
-
memory/1604-136-0x0000000000000000-mapping.dmp
-
memory/1604-138-0x000001FE97DC0000-0x000001FE97DEE000-memory.dmpFilesize
184KB
-
memory/1604-139-0x000001FE97DA0000-0x000001FE97DAA000-memory.dmpFilesize
40KB
-
memory/1604-140-0x000001FEB03A0000-0x000001FEB0410000-memory.dmpFilesize
448KB
-
memory/1604-141-0x00007FFDB55C0000-0x00007FFDB6081000-memory.dmpFilesize
10.8MB
-
memory/1604-146-0x00007FFDB55C0000-0x00007FFDB6081000-memory.dmpFilesize
10.8MB
-
memory/4304-142-0x0000000000000000-mapping.dmp
-
memory/4304-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/5100-133-0x0000000000000000-mapping.dmp