Analysis
-
max time kernel
92s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2022 12:49
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Win_14-12-2022_18-36-29.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Setup_Win_14-12-2022_18-36-29.msi
Resource
win10v2004-20221111-en
General
-
Target
Setup_Win_14-12-2022_18-36-29.msi
-
Size
1.9MB
-
MD5
483a92951b440f2212fbfba38174d8a4
-
SHA1
914b9a827b1937935681a033b1c32a2df97a4874
-
SHA256
63a7d98369925d6e98994cdb5937bd896506665be9f80dc55de7eb6df00f7607
-
SHA512
336d65a516d8503ec939cb52d186b42d1dc41abc253ac85262bd251f4c63f81fa78d8f48122e608c91ec7f6cf43db1daf87c9c26f6636fa6410d10541018a93b
-
SSDEEP
49152:Jr0QHD5a4/7yGe8EsuRMEl73hXNGzchfzYZppUQ:Jr08MuLshh
Malware Config
Extracted
icedid
1002085315
klepdrafooip.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 23 5096 rundll32.exe 38 5096 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 4972 MsiExec.exe 3552 rundll32.exe 5096 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
rundll32.exemsiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSIE247.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE247.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIE247.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE247.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\e56e052.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSIE247.tmp msiexec.exe File created C:\Windows\Installer\e56e054.msi msiexec.exe File created C:\Windows\Installer\e56e052.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIE19B.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000106161d2e731958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000106161d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900106161d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 2852 msiexec.exe 2852 msiexec.exe 5096 rundll32.exe 5096 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1480 msiexec.exe Token: SeIncreaseQuotaPrivilege 1480 msiexec.exe Token: SeSecurityPrivilege 2852 msiexec.exe Token: SeCreateTokenPrivilege 1480 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1480 msiexec.exe Token: SeLockMemoryPrivilege 1480 msiexec.exe Token: SeIncreaseQuotaPrivilege 1480 msiexec.exe Token: SeMachineAccountPrivilege 1480 msiexec.exe Token: SeTcbPrivilege 1480 msiexec.exe Token: SeSecurityPrivilege 1480 msiexec.exe Token: SeTakeOwnershipPrivilege 1480 msiexec.exe Token: SeLoadDriverPrivilege 1480 msiexec.exe Token: SeSystemProfilePrivilege 1480 msiexec.exe Token: SeSystemtimePrivilege 1480 msiexec.exe Token: SeProfSingleProcessPrivilege 1480 msiexec.exe Token: SeIncBasePriorityPrivilege 1480 msiexec.exe Token: SeCreatePagefilePrivilege 1480 msiexec.exe Token: SeCreatePermanentPrivilege 1480 msiexec.exe Token: SeBackupPrivilege 1480 msiexec.exe Token: SeRestorePrivilege 1480 msiexec.exe Token: SeShutdownPrivilege 1480 msiexec.exe Token: SeDebugPrivilege 1480 msiexec.exe Token: SeAuditPrivilege 1480 msiexec.exe Token: SeSystemEnvironmentPrivilege 1480 msiexec.exe Token: SeChangeNotifyPrivilege 1480 msiexec.exe Token: SeRemoteShutdownPrivilege 1480 msiexec.exe Token: SeUndockPrivilege 1480 msiexec.exe Token: SeSyncAgentPrivilege 1480 msiexec.exe Token: SeEnableDelegationPrivilege 1480 msiexec.exe Token: SeManageVolumePrivilege 1480 msiexec.exe Token: SeImpersonatePrivilege 1480 msiexec.exe Token: SeCreateGlobalPrivilege 1480 msiexec.exe Token: SeBackupPrivilege 2088 vssvc.exe Token: SeRestorePrivilege 2088 vssvc.exe Token: SeAuditPrivilege 2088 vssvc.exe Token: SeBackupPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1480 msiexec.exe 1480 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 2852 wrote to memory of 4600 2852 msiexec.exe srtasks.exe PID 2852 wrote to memory of 4600 2852 msiexec.exe srtasks.exe PID 2852 wrote to memory of 4972 2852 msiexec.exe MsiExec.exe PID 2852 wrote to memory of 4972 2852 msiexec.exe MsiExec.exe PID 4972 wrote to memory of 3552 4972 MsiExec.exe rundll32.exe PID 4972 wrote to memory of 3552 4972 MsiExec.exe rundll32.exe PID 3552 wrote to memory of 5096 3552 rundll32.exe rundll32.exe PID 3552 wrote to memory of 5096 3552 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_14-12-2022_18-36-29.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding DB131CD8EDA3A953E282AF26724B056E2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSIE247.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240575109 2 test.cs!XXX.YyY.ZzZ3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSI88b6651b.mst",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MSI88b6651b.mstFilesize
1.4MB
MD5ddc204b27174d22b5bbf10819bf30707
SHA1c70473bc99e2fec21c1bc305a1f81ea3d52aaed0
SHA2567e5da5fcda0da494da85cdc76384b3b08f135f09f20e582e049486e8ae2f168e
SHA5128f3c9a8ec15458b2302a1914fc8408c156a88b872982122c2171c7290679e14f51268b1f5c405143322e99c71e7eb7ff24f1c4492f01ce76ecdbe965fb880adf
-
C:\Users\Admin\AppData\Local\MSI88b6651b.mstFilesize
1.4MB
MD5ddc204b27174d22b5bbf10819bf30707
SHA1c70473bc99e2fec21c1bc305a1f81ea3d52aaed0
SHA2567e5da5fcda0da494da85cdc76384b3b08f135f09f20e582e049486e8ae2f168e
SHA5128f3c9a8ec15458b2302a1914fc8408c156a88b872982122c2171c7290679e14f51268b1f5c405143322e99c71e7eb7ff24f1c4492f01ce76ecdbe965fb880adf
-
C:\Windows\Installer\MSIE247.tmpFilesize
414KB
MD5cda2f0bb7819921c98e376562f8db1bb
SHA11a579a1b47c840a85181da8a70fe846084cd83c2
SHA2563294ddfeba71b6718034400e2c40dc1f8f64f2480aff90c38e6b04a9fc2cb1ad
SHA5129058543415ff917dbcf583c1bb99ba41142d3f22617fe3e409a7cf219d9f32ca8d11130e4e7df93025d0e332efd5ba71d54a3d88f9eec4b98e4f2fea9743a2ad
-
C:\Windows\Installer\MSIE247.tmpFilesize
414KB
MD5cda2f0bb7819921c98e376562f8db1bb
SHA11a579a1b47c840a85181da8a70fe846084cd83c2
SHA2563294ddfeba71b6718034400e2c40dc1f8f64f2480aff90c38e6b04a9fc2cb1ad
SHA5129058543415ff917dbcf583c1bb99ba41142d3f22617fe3e409a7cf219d9f32ca8d11130e4e7df93025d0e332efd5ba71d54a3d88f9eec4b98e4f2fea9743a2ad
-
C:\Windows\Installer\MSIE247.tmpFilesize
414KB
MD5cda2f0bb7819921c98e376562f8db1bb
SHA11a579a1b47c840a85181da8a70fe846084cd83c2
SHA2563294ddfeba71b6718034400e2c40dc1f8f64f2480aff90c38e6b04a9fc2cb1ad
SHA5129058543415ff917dbcf583c1bb99ba41142d3f22617fe3e409a7cf219d9f32ca8d11130e4e7df93025d0e332efd5ba71d54a3d88f9eec4b98e4f2fea9743a2ad
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5529edc06ee6c78b713ce3e5d410355a2
SHA12054c9cb4f06b62a80ed20d47bcb5251b6feb577
SHA2565a94fbc7e3e3577568f7c35f318c522725f39f9e7e74f68c56f3e6943d58e3f2
SHA512cf337e825f159a5dd13460c697a15c925846609c48521b72534861e0b2d131017ba29e1e663b8f4fd52e1a11ea6b7bec224f24d1cb0168c0d0dcc9fbdcc5f070
-
\??\Volume{d2616110-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d94e2092-be43-4cc2-a375-06fd284d842b}_OnDiskSnapshotPropFilesize
5KB
MD57e7755ea13f6f01a09d9e82d7cf4eca5
SHA16ee19eb175374c9e4945188747be8f2aeb844351
SHA2568dd86899c1152ee612ce3ce7a5273d459ef1024f45e0d8299d0ffa40d1165995
SHA512452e3ec124033c8978a12ac40268d9409a278a829d3f140f9efea7d027862aa2a74279a4f06f820774bed0fd3b0940e3a25d3fecc90340c31131bb4b7fe4f7f3
-
memory/3552-141-0x00007FF8B1D20000-0x00007FF8B27E1000-memory.dmpFilesize
10.8MB
-
memory/3552-140-0x000002602CE90000-0x000002602CF00000-memory.dmpFilesize
448KB
-
memory/3552-139-0x0000026013DA0000-0x0000026013DAA000-memory.dmpFilesize
40KB
-
memory/3552-136-0x0000000000000000-mapping.dmp
-
memory/3552-146-0x00007FF8B1D20000-0x00007FF8B27E1000-memory.dmpFilesize
10.8MB
-
memory/3552-138-0x0000026013DD0000-0x0000026013DFE000-memory.dmpFilesize
184KB
-
memory/4600-132-0x0000000000000000-mapping.dmp
-
memory/4972-133-0x0000000000000000-mapping.dmp
-
memory/5096-142-0x0000000000000000-mapping.dmp
-
memory/5096-145-0x0000012A6CBB0000-0x0000012A6CBB9000-memory.dmpFilesize
36KB