Analysis
-
max time kernel
132s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/12/2022, 00:56
Static task
static1
Behavioral task
behavioral1
Sample
Scan_Invoice_12-09#33.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Scan_Invoice_12-09#33.msi
Resource
win10v2004-20221111-en
General
-
Target
Scan_Invoice_12-09#33.msi
-
Size
824KB
-
MD5
2db446eeebd67710e1ec48a72ab7cf91
-
SHA1
9ec5d729e810087435b57accda5ad6438e63f56d
-
SHA256
bfa93bd0442ada6f5f8e8d4bb4edd7cffb90d150db138e7f58668f58a132e32a
-
SHA512
910b0f54a516da8a2ebdfbe79531cce9901d9c586ee40dd54254b11f54fbe121fa28b8ef4c59d898374e32eb94c07877a5bc0a4f3ac6694e5bc264ffa9b3d57d
-
SSDEEP
24576:PHL0R9mTn3Tp9LolK0aID/kJAHCaWPXoPcTPbgrQlRNKIg8gx:Pr0Ra3kK0oaWPXoPcTPbgrQlRNKIg8g
Malware Config
Extracted
icedid
1178326404
broskabrwaf.com
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1472 rundll32.exe 6 1472 rundll32.exe -
Loads dropped DLL 6 IoCs
pid Process 1120 MsiExec.exe 1780 rundll32.exe 1472 rundll32.exe 1472 rundll32.exe 1472 rundll32.exe 1472 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\6d0149.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI497.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI497.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI497.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI497.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI497.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\6d0149.msi msiexec.exe File created C:\Windows\Installer\6d014a.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI3B9.tmp msiexec.exe File created C:\Windows\Installer\6d014c.msi msiexec.exe File opened for modification C:\Windows\Installer\6d014a.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1992 msiexec.exe 1992 msiexec.exe 1472 rundll32.exe 1472 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 784 msiexec.exe Token: SeIncreaseQuotaPrivilege 784 msiexec.exe Token: SeRestorePrivilege 1992 msiexec.exe Token: SeTakeOwnershipPrivilege 1992 msiexec.exe Token: SeSecurityPrivilege 1992 msiexec.exe Token: SeCreateTokenPrivilege 784 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 784 msiexec.exe Token: SeLockMemoryPrivilege 784 msiexec.exe Token: SeIncreaseQuotaPrivilege 784 msiexec.exe Token: SeMachineAccountPrivilege 784 msiexec.exe Token: SeTcbPrivilege 784 msiexec.exe Token: SeSecurityPrivilege 784 msiexec.exe Token: SeTakeOwnershipPrivilege 784 msiexec.exe Token: SeLoadDriverPrivilege 784 msiexec.exe Token: SeSystemProfilePrivilege 784 msiexec.exe Token: SeSystemtimePrivilege 784 msiexec.exe Token: SeProfSingleProcessPrivilege 784 msiexec.exe Token: SeIncBasePriorityPrivilege 784 msiexec.exe Token: SeCreatePagefilePrivilege 784 msiexec.exe Token: SeCreatePermanentPrivilege 784 msiexec.exe Token: SeBackupPrivilege 784 msiexec.exe Token: SeRestorePrivilege 784 msiexec.exe Token: SeShutdownPrivilege 784 msiexec.exe Token: SeDebugPrivilege 784 msiexec.exe Token: SeAuditPrivilege 784 msiexec.exe Token: SeSystemEnvironmentPrivilege 784 msiexec.exe Token: SeChangeNotifyPrivilege 784 msiexec.exe Token: SeRemoteShutdownPrivilege 784 msiexec.exe Token: SeUndockPrivilege 784 msiexec.exe Token: SeSyncAgentPrivilege 784 msiexec.exe Token: SeEnableDelegationPrivilege 784 msiexec.exe Token: SeManageVolumePrivilege 784 msiexec.exe Token: SeImpersonatePrivilege 784 msiexec.exe Token: SeCreateGlobalPrivilege 784 msiexec.exe Token: SeBackupPrivilege 1560 vssvc.exe Token: SeRestorePrivilege 1560 vssvc.exe Token: SeAuditPrivilege 1560 vssvc.exe Token: SeBackupPrivilege 1992 msiexec.exe Token: SeRestorePrivilege 1992 msiexec.exe Token: SeRestorePrivilege 1788 DrvInst.exe Token: SeRestorePrivilege 1788 DrvInst.exe Token: SeRestorePrivilege 1788 DrvInst.exe Token: SeRestorePrivilege 1788 DrvInst.exe Token: SeRestorePrivilege 1788 DrvInst.exe Token: SeRestorePrivilege 1788 DrvInst.exe Token: SeRestorePrivilege 1788 DrvInst.exe Token: SeLoadDriverPrivilege 1788 DrvInst.exe Token: SeLoadDriverPrivilege 1788 DrvInst.exe Token: SeLoadDriverPrivilege 1788 DrvInst.exe Token: SeRestorePrivilege 1992 msiexec.exe Token: SeTakeOwnershipPrivilege 1992 msiexec.exe Token: SeRestorePrivilege 1992 msiexec.exe Token: SeTakeOwnershipPrivilege 1992 msiexec.exe Token: SeRestorePrivilege 1992 msiexec.exe Token: SeTakeOwnershipPrivilege 1992 msiexec.exe Token: SeRestorePrivilege 1992 msiexec.exe Token: SeTakeOwnershipPrivilege 1992 msiexec.exe Token: SeRestorePrivilege 1992 msiexec.exe Token: SeTakeOwnershipPrivilege 1992 msiexec.exe Token: SeRestorePrivilege 1992 msiexec.exe Token: SeTakeOwnershipPrivilege 1992 msiexec.exe Token: SeRestorePrivilege 1992 msiexec.exe Token: SeTakeOwnershipPrivilege 1992 msiexec.exe Token: SeRestorePrivilege 1992 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 784 msiexec.exe 784 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1992 wrote to memory of 1120 1992 msiexec.exe 30 PID 1992 wrote to memory of 1120 1992 msiexec.exe 30 PID 1992 wrote to memory of 1120 1992 msiexec.exe 30 PID 1992 wrote to memory of 1120 1992 msiexec.exe 30 PID 1992 wrote to memory of 1120 1992 msiexec.exe 30 PID 1120 wrote to memory of 1780 1120 MsiExec.exe 31 PID 1120 wrote to memory of 1780 1120 MsiExec.exe 31 PID 1120 wrote to memory of 1780 1120 MsiExec.exe 31 PID 1780 wrote to memory of 1472 1780 rundll32.exe 32 PID 1780 wrote to memory of 1472 1780 rundll32.exe 32 PID 1780 wrote to memory of 1472 1780 rundll32.exe 32
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Scan_Invoice_12-09#33.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:784
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding B72927A0762974DE245ECE46ABA77D522⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI497.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7144861 1 test.cs!Test.CustomActions.MyAction3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpF5D.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1472
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002FC" "0000000000000570"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
374KB
MD540f21fabcf4a82536bc949f7ede086f7
SHA1cc36229bb068dcf105e32ba0c7f5829425cc5d5d
SHA256ed9eaffeb9ddc3e8391fc6d020d3adc41724e0f136aa9086d7a2cb5060639b42
SHA512eb6db524ad5a44d2c29f60890a9bc69e97481877173f635c38b9e5053566664ac8237279cd6ccc31334dd72436fe5c336ba4d5f0da15504a958be39eac8d3fd5
-
Filesize
413KB
MD571313c74db46fdd20aa5f3d2c22499df
SHA1f2b98b9e6a7cc31616c9394b45944bdf611cfd46
SHA256519a7dc1a3fa8af5ea264eb4237b1a54c3c003fe12c01e3b91d03cf2fb6a4fc0
SHA5123fb7fa74ae15069c5dc4121fbb9fb40cab32e4eea85d3221cb63cfca3471727d09b42b3fdc34a0cc75d048a7f5dc87b6e2e72d62fe58e09dc0ec2befa18e5462
-
Filesize
374KB
MD540f21fabcf4a82536bc949f7ede086f7
SHA1cc36229bb068dcf105e32ba0c7f5829425cc5d5d
SHA256ed9eaffeb9ddc3e8391fc6d020d3adc41724e0f136aa9086d7a2cb5060639b42
SHA512eb6db524ad5a44d2c29f60890a9bc69e97481877173f635c38b9e5053566664ac8237279cd6ccc31334dd72436fe5c336ba4d5f0da15504a958be39eac8d3fd5
-
Filesize
374KB
MD540f21fabcf4a82536bc949f7ede086f7
SHA1cc36229bb068dcf105e32ba0c7f5829425cc5d5d
SHA256ed9eaffeb9ddc3e8391fc6d020d3adc41724e0f136aa9086d7a2cb5060639b42
SHA512eb6db524ad5a44d2c29f60890a9bc69e97481877173f635c38b9e5053566664ac8237279cd6ccc31334dd72436fe5c336ba4d5f0da15504a958be39eac8d3fd5
-
Filesize
374KB
MD540f21fabcf4a82536bc949f7ede086f7
SHA1cc36229bb068dcf105e32ba0c7f5829425cc5d5d
SHA256ed9eaffeb9ddc3e8391fc6d020d3adc41724e0f136aa9086d7a2cb5060639b42
SHA512eb6db524ad5a44d2c29f60890a9bc69e97481877173f635c38b9e5053566664ac8237279cd6ccc31334dd72436fe5c336ba4d5f0da15504a958be39eac8d3fd5
-
Filesize
374KB
MD540f21fabcf4a82536bc949f7ede086f7
SHA1cc36229bb068dcf105e32ba0c7f5829425cc5d5d
SHA256ed9eaffeb9ddc3e8391fc6d020d3adc41724e0f136aa9086d7a2cb5060639b42
SHA512eb6db524ad5a44d2c29f60890a9bc69e97481877173f635c38b9e5053566664ac8237279cd6ccc31334dd72436fe5c336ba4d5f0da15504a958be39eac8d3fd5
-
Filesize
413KB
MD571313c74db46fdd20aa5f3d2c22499df
SHA1f2b98b9e6a7cc31616c9394b45944bdf611cfd46
SHA256519a7dc1a3fa8af5ea264eb4237b1a54c3c003fe12c01e3b91d03cf2fb6a4fc0
SHA5123fb7fa74ae15069c5dc4121fbb9fb40cab32e4eea85d3221cb63cfca3471727d09b42b3fdc34a0cc75d048a7f5dc87b6e2e72d62fe58e09dc0ec2befa18e5462
-
Filesize
413KB
MD571313c74db46fdd20aa5f3d2c22499df
SHA1f2b98b9e6a7cc31616c9394b45944bdf611cfd46
SHA256519a7dc1a3fa8af5ea264eb4237b1a54c3c003fe12c01e3b91d03cf2fb6a4fc0
SHA5123fb7fa74ae15069c5dc4121fbb9fb40cab32e4eea85d3221cb63cfca3471727d09b42b3fdc34a0cc75d048a7f5dc87b6e2e72d62fe58e09dc0ec2befa18e5462