Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
19-12-2022 22:44
General
-
Target
soon.msi
-
Size
1.4MB
-
MD5
303b59a952508e0bb83dce110f531ce1
-
SHA1
be036b4b707553694268f876d97c071782c09ce7
-
SHA256
05adcd44c155d9bde8704c6f886889127769f6f3a5b1af23d78e95d9cd402afb
-
SHA512
ce3a9161e8aeb3ef46a5ba04c273aaa44ea977f5a6c90c9696c95c5efc5ce8a960c381944984881da8c51bb2435e207bfa00d9e2902de9a59cc153a1dc1f5901
-
SSDEEP
24576:GHL0mPEJnFbMyaNb8e1e96Pef7k0bNRjpB4dPURa8:Gr05JKya1/BPg1Ra8
Malware Config
Extracted
icedid
3407323965
estrabornhot.com
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Blocklisted process makes network request 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 13 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\soon.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding F0BE999A2F1279233C1D7B342EFA862C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSID566.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240571859 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpD9BB.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD9BB.dllFilesize
970KB
MD505aa16a3e9947bc310f807fdf5cb9b7e
SHA187f620a6908ff9b070ff8c59e05fc8ef33097478
SHA256484588c9c4bf409f86a8c4e86fa4b3f2881978e178a438c5fcee6e18b3e22eb3
SHA5122bcbbf34b66c91b10decfa98e78178e35bebea4d56619fe40f83b026490c83595072ea0fff0e07a2ddebc2cc578bba1c4f4270491274c4602fa4fbc780e695dd
-
C:\Users\Admin\AppData\Local\Temp\tmpD9BB.dllFilesize
970KB
MD505aa16a3e9947bc310f807fdf5cb9b7e
SHA187f620a6908ff9b070ff8c59e05fc8ef33097478
SHA256484588c9c4bf409f86a8c4e86fa4b3f2881978e178a438c5fcee6e18b3e22eb3
SHA5122bcbbf34b66c91b10decfa98e78178e35bebea4d56619fe40f83b026490c83595072ea0fff0e07a2ddebc2cc578bba1c4f4270491274c4602fa4fbc780e695dd
-
C:\Windows\Installer\MSID566.tmpFilesize
413KB
MD58a4e220f25eb2af7e4284d094ddc2b53
SHA15038bf05502caf9f0f49d9e9845efa6693874a57
SHA256ee9279ded747c2744f77bcf7e11cbf56837160ad7ad4a077554f66728fd005d7
SHA51253ed4978d8ea8b2768475fa1f8c1bfa4a36b95ca356e31745aa57bef81ba80975ace043d443fabecafe61513f45e321eb8c6bb3d6b9c0e68a535f180eccd9905
-
C:\Windows\Installer\MSID566.tmpFilesize
413KB
MD58a4e220f25eb2af7e4284d094ddc2b53
SHA15038bf05502caf9f0f49d9e9845efa6693874a57
SHA256ee9279ded747c2744f77bcf7e11cbf56837160ad7ad4a077554f66728fd005d7
SHA51253ed4978d8ea8b2768475fa1f8c1bfa4a36b95ca356e31745aa57bef81ba80975ace043d443fabecafe61513f45e321eb8c6bb3d6b9c0e68a535f180eccd9905
-
C:\Windows\Installer\MSID566.tmpFilesize
413KB
MD58a4e220f25eb2af7e4284d094ddc2b53
SHA15038bf05502caf9f0f49d9e9845efa6693874a57
SHA256ee9279ded747c2744f77bcf7e11cbf56837160ad7ad4a077554f66728fd005d7
SHA51253ed4978d8ea8b2768475fa1f8c1bfa4a36b95ca356e31745aa57bef81ba80975ace043d443fabecafe61513f45e321eb8c6bb3d6b9c0e68a535f180eccd9905
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
11.8MB
MD55b5fbff7bfe29741575332882128730d
SHA1645ab6406c3fb7f87a971918e742ff9ceb83a0c5
SHA256e8fb8366615a980aec1e17ad8dd2931e428489a5002efa375cd7b9214c45e42e
SHA51237823a441755488ee5fdb099d344f0f313d0e1c5fcd56c87150ffcf62f57cfaab94b23b75679d818a48d4dc1b3d944aba02786479ca3cde5c2f1ecfbf038aa48
-
\??\Volume{2339e045-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{85a3600d-203f-43a6-8f2c-f6052df63fdc}_OnDiskSnapshotPropFilesize
5KB
MD57e46399e2dae5a7433b19b3992c29b5b
SHA15a7115e9f57eff72c76c933abff29b7adbc29fa7
SHA256c2ddbbe89af8cbc3f88d11d2eb46887a644af557f1b954ad5ee4ce4407d3d886
SHA5128683c82c947d305333029f36d22230eb215b57c24bfd3e769cb0ef47c1f9a82ec0e696f77844f2353e86ce467b510a032c7e7b9ea157f02bbb76d2aa73f22927
-
memory/1040-132-0x0000000000000000-mapping.dmp
-
memory/1604-136-0x0000000000000000-mapping.dmp
-
memory/1604-138-0x000001FE97DC0000-0x000001FE97DEE000-memory.dmpFilesize
184KB
-
memory/1604-139-0x000001FE97DA0000-0x000001FE97DAA000-memory.dmpFilesize
40KB
-
memory/1604-140-0x000001FEB03A0000-0x000001FEB0410000-memory.dmpFilesize
448KB
-
memory/1604-141-0x00007FFDB55C0000-0x00007FFDB6081000-memory.dmpFilesize
10.8MB
-
memory/1604-146-0x00007FFDB55C0000-0x00007FFDB6081000-memory.dmpFilesize
10.8MB
-
memory/4304-142-0x0000000000000000-mapping.dmp
-
memory/4304-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/5100-133-0x0000000000000000-mapping.dmp