Analysis
-
max time kernel
127s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2022 00:56
Static task
static1
Behavioral task
behavioral1
Sample
Scan_Invoice_12-09#33.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Scan_Invoice_12-09#33.msi
Resource
win10v2004-20221111-en
General
-
Target
Scan_Invoice_12-09#33.msi
-
Size
824KB
-
MD5
2db446eeebd67710e1ec48a72ab7cf91
-
SHA1
9ec5d729e810087435b57accda5ad6438e63f56d
-
SHA256
bfa93bd0442ada6f5f8e8d4bb4edd7cffb90d150db138e7f58668f58a132e32a
-
SHA512
910b0f54a516da8a2ebdfbe79531cce9901d9c586ee40dd54254b11f54fbe121fa28b8ef4c59d898374e32eb94c07877a5bc0a4f3ac6694e5bc264ffa9b3d57d
-
SSDEEP
24576:PHL0R9mTn3Tp9LolK0aID/kJAHCaWPXoPcTPbgrQlRNKIg8gx:Pr0Ra3kK0oaWPXoPcTPbgrQlRNKIg8g
Malware Config
Extracted
icedid
1178326404
broskabrwaf.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 45 1988 rundll32.exe 54 1988 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 4624 MsiExec.exe 548 rundll32.exe 1988 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
rundll32.exemsiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSIF3BC.tmp-\WixSharp.dll rundll32.exe File created C:\Windows\Installer\e56f225.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSIF34E.tmp msiexec.exe File created C:\Windows\Installer\e56f227.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF3BC.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIF3BC.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIF3BC.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\e56f225.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIF3BC.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b9e60d2ecf4958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b9e60d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809000b9e60d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 2532 msiexec.exe 2532 msiexec.exe 1988 rundll32.exe 1988 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 2700 msiexec.exe Token: SeIncreaseQuotaPrivilege 2700 msiexec.exe Token: SeSecurityPrivilege 2532 msiexec.exe Token: SeCreateTokenPrivilege 2700 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2700 msiexec.exe Token: SeLockMemoryPrivilege 2700 msiexec.exe Token: SeIncreaseQuotaPrivilege 2700 msiexec.exe Token: SeMachineAccountPrivilege 2700 msiexec.exe Token: SeTcbPrivilege 2700 msiexec.exe Token: SeSecurityPrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeLoadDriverPrivilege 2700 msiexec.exe Token: SeSystemProfilePrivilege 2700 msiexec.exe Token: SeSystemtimePrivilege 2700 msiexec.exe Token: SeProfSingleProcessPrivilege 2700 msiexec.exe Token: SeIncBasePriorityPrivilege 2700 msiexec.exe Token: SeCreatePagefilePrivilege 2700 msiexec.exe Token: SeCreatePermanentPrivilege 2700 msiexec.exe Token: SeBackupPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeShutdownPrivilege 2700 msiexec.exe Token: SeDebugPrivilege 2700 msiexec.exe Token: SeAuditPrivilege 2700 msiexec.exe Token: SeSystemEnvironmentPrivilege 2700 msiexec.exe Token: SeChangeNotifyPrivilege 2700 msiexec.exe Token: SeRemoteShutdownPrivilege 2700 msiexec.exe Token: SeUndockPrivilege 2700 msiexec.exe Token: SeSyncAgentPrivilege 2700 msiexec.exe Token: SeEnableDelegationPrivilege 2700 msiexec.exe Token: SeManageVolumePrivilege 2700 msiexec.exe Token: SeImpersonatePrivilege 2700 msiexec.exe Token: SeCreateGlobalPrivilege 2700 msiexec.exe Token: SeBackupPrivilege 4876 vssvc.exe Token: SeRestorePrivilege 4876 vssvc.exe Token: SeAuditPrivilege 4876 vssvc.exe Token: SeBackupPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe Token: SeTakeOwnershipPrivilege 2532 msiexec.exe Token: SeRestorePrivilege 2532 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2700 msiexec.exe 2700 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 2532 wrote to memory of 3984 2532 msiexec.exe srtasks.exe PID 2532 wrote to memory of 3984 2532 msiexec.exe srtasks.exe PID 2532 wrote to memory of 4624 2532 msiexec.exe MsiExec.exe PID 2532 wrote to memory of 4624 2532 msiexec.exe MsiExec.exe PID 4624 wrote to memory of 548 4624 MsiExec.exe rundll32.exe PID 4624 wrote to memory of 548 4624 MsiExec.exe rundll32.exe PID 548 wrote to memory of 1988 548 rundll32.exe rundll32.exe PID 548 wrote to memory of 1988 548 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Scan_Invoice_12-09#33.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding A7A9F82FDE12A6BD4C5E2CD3C03AB6FE2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSIF3BC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240579718 2 test.cs!Test.CustomActions.MyAction3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpF726.dll",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF726.dllFilesize
374KB
MD540f21fabcf4a82536bc949f7ede086f7
SHA1cc36229bb068dcf105e32ba0c7f5829425cc5d5d
SHA256ed9eaffeb9ddc3e8391fc6d020d3adc41724e0f136aa9086d7a2cb5060639b42
SHA512eb6db524ad5a44d2c29f60890a9bc69e97481877173f635c38b9e5053566664ac8237279cd6ccc31334dd72436fe5c336ba4d5f0da15504a958be39eac8d3fd5
-
C:\Users\Admin\AppData\Local\Temp\tmpF726.dllFilesize
374KB
MD540f21fabcf4a82536bc949f7ede086f7
SHA1cc36229bb068dcf105e32ba0c7f5829425cc5d5d
SHA256ed9eaffeb9ddc3e8391fc6d020d3adc41724e0f136aa9086d7a2cb5060639b42
SHA512eb6db524ad5a44d2c29f60890a9bc69e97481877173f635c38b9e5053566664ac8237279cd6ccc31334dd72436fe5c336ba4d5f0da15504a958be39eac8d3fd5
-
C:\Windows\Installer\MSIF3BC.tmpFilesize
413KB
MD571313c74db46fdd20aa5f3d2c22499df
SHA1f2b98b9e6a7cc31616c9394b45944bdf611cfd46
SHA256519a7dc1a3fa8af5ea264eb4237b1a54c3c003fe12c01e3b91d03cf2fb6a4fc0
SHA5123fb7fa74ae15069c5dc4121fbb9fb40cab32e4eea85d3221cb63cfca3471727d09b42b3fdc34a0cc75d048a7f5dc87b6e2e72d62fe58e09dc0ec2befa18e5462
-
C:\Windows\Installer\MSIF3BC.tmpFilesize
413KB
MD571313c74db46fdd20aa5f3d2c22499df
SHA1f2b98b9e6a7cc31616c9394b45944bdf611cfd46
SHA256519a7dc1a3fa8af5ea264eb4237b1a54c3c003fe12c01e3b91d03cf2fb6a4fc0
SHA5123fb7fa74ae15069c5dc4121fbb9fb40cab32e4eea85d3221cb63cfca3471727d09b42b3fdc34a0cc75d048a7f5dc87b6e2e72d62fe58e09dc0ec2befa18e5462
-
C:\Windows\Installer\MSIF3BC.tmpFilesize
413KB
MD571313c74db46fdd20aa5f3d2c22499df
SHA1f2b98b9e6a7cc31616c9394b45944bdf611cfd46
SHA256519a7dc1a3fa8af5ea264eb4237b1a54c3c003fe12c01e3b91d03cf2fb6a4fc0
SHA5123fb7fa74ae15069c5dc4121fbb9fb40cab32e4eea85d3221cb63cfca3471727d09b42b3fdc34a0cc75d048a7f5dc87b6e2e72d62fe58e09dc0ec2befa18e5462
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD515caeb9984c63b4d64dc17eaae9d62a0
SHA168a41b4ff49a5118e73ff702cd9f966e2e963245
SHA2567ca5d0771639bdf53d2f6eef91be69087b919c154cfc8fe240111400fc5e951a
SHA512bde70086b62cd5d5489570ac228887b0c3e11eab57ea43ae1f231b4aac914e98840f48bf603c6f4f884510b49bd94fee9dc3107814f6870c3f8da5119f315fe7
-
\??\Volume{d2609e0b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3be2d464-8448-4758-a442-ee7b9cfef046}_OnDiskSnapshotPropFilesize
5KB
MD5f8eb5eb9360f01ebc97479f215650049
SHA1fe152d7fd0c79876adff6d4529848059c07e40f3
SHA2568a14bb5ae3d8b3258d1cf3ae4f8db36d2f9e207eb6041ff6733fe2ccc9394e68
SHA5121400ebfff315a548bfd5d6e0a3b1ca87b3e77f872c1959ab45f0ed02b225719b0e82ac412b75e80456cfd8b92733cf30381d6e499e3845939ac653c67a46e064
-
memory/548-140-0x00000202BF760000-0x00000202BF7D0000-memory.dmpFilesize
448KB
-
memory/548-139-0x00000202BF600000-0x00000202BF60A000-memory.dmpFilesize
40KB
-
memory/548-138-0x00000202BF650000-0x00000202BF67E000-memory.dmpFilesize
184KB
-
memory/548-150-0x00007FF99D010000-0x00007FF99DAD1000-memory.dmpFilesize
10.8MB
-
memory/548-136-0x0000000000000000-mapping.dmp
-
memory/1988-141-0x0000000000000000-mapping.dmp
-
memory/1988-144-0x000002AF5BBD0000-0x000002AF5BBD9000-memory.dmpFilesize
36KB
-
memory/3984-132-0x0000000000000000-mapping.dmp
-
memory/4624-133-0x0000000000000000-mapping.dmp