Overview

overview

10

Static

static

Setup_Win_...29.msi

windows7-x64

10

Setup_Win_...29.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2022 12:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup_Win_14-12-2022_18-36-29.msi

  • Size

    1.9MB

  • MD5

    483a92951b440f2212fbfba38174d8a4

  • SHA1

    914b9a827b1937935681a033b1c32a2df97a4874

  • SHA256

    63a7d98369925d6e98994cdb5937bd896506665be9f80dc55de7eb6df00f7607

  • SHA512

    336d65a516d8503ec939cb52d186b42d1dc41abc253ac85262bd251f4c63f81fa78d8f48122e608c91ec7f6cf43db1daf87c9c26f6636fa6410d10541018a93b

  • SSDEEP

    49152:Jr0QHD5a4/7yGe8EsuRMEl73hXNGzchfzYZppUQ:Jr08MuLshh

Score
10/10
icedid1002085315bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

1002085315

C2

klepdrafooip.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_14-12-2022_18-36-29.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1480
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4600
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding DB131CD8EDA3A953E282AF26724B056E
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4972
        • C:\Windows\system32\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIE247.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240575109 2 test.cs!XXX.YyY.ZzZ
          3⤵
          • Checks computer location settings
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:3552
          • C:\Windows\System32\rundll32.exe
            "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSI88b6651b.mst",init
            4⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:5096
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:2088

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    2
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\MSI88b6651b.mst
      Filesize

      1.4MB

      MD5

      ddc204b27174d22b5bbf10819bf30707

      SHA1

      c70473bc99e2fec21c1bc305a1f81ea3d52aaed0

      SHA256

      7e5da5fcda0da494da85cdc76384b3b08f135f09f20e582e049486e8ae2f168e

      SHA512

      8f3c9a8ec15458b2302a1914fc8408c156a88b872982122c2171c7290679e14f51268b1f5c405143322e99c71e7eb7ff24f1c4492f01ce76ecdbe965fb880adf

      Download Submit
    • C:\Users\Admin\AppData\Local\MSI88b6651b.mst
      Filesize

      1.4MB

      MD5

      ddc204b27174d22b5bbf10819bf30707

      SHA1

      c70473bc99e2fec21c1bc305a1f81ea3d52aaed0

      SHA256

      7e5da5fcda0da494da85cdc76384b3b08f135f09f20e582e049486e8ae2f168e

      SHA512

      8f3c9a8ec15458b2302a1914fc8408c156a88b872982122c2171c7290679e14f51268b1f5c405143322e99c71e7eb7ff24f1c4492f01ce76ecdbe965fb880adf

      Download Submit
    • C:\Windows\Installer\MSIE247.tmp
      Filesize

      414KB

      MD5

      cda2f0bb7819921c98e376562f8db1bb

      SHA1

      1a579a1b47c840a85181da8a70fe846084cd83c2

      SHA256

      3294ddfeba71b6718034400e2c40dc1f8f64f2480aff90c38e6b04a9fc2cb1ad

      SHA512

      9058543415ff917dbcf583c1bb99ba41142d3f22617fe3e409a7cf219d9f32ca8d11130e4e7df93025d0e332efd5ba71d54a3d88f9eec4b98e4f2fea9743a2ad

      Download Submit
    • C:\Windows\Installer\MSIE247.tmp
      Filesize

      414KB

      MD5

      cda2f0bb7819921c98e376562f8db1bb

      SHA1

      1a579a1b47c840a85181da8a70fe846084cd83c2

      SHA256

      3294ddfeba71b6718034400e2c40dc1f8f64f2480aff90c38e6b04a9fc2cb1ad

      SHA512

      9058543415ff917dbcf583c1bb99ba41142d3f22617fe3e409a7cf219d9f32ca8d11130e4e7df93025d0e332efd5ba71d54a3d88f9eec4b98e4f2fea9743a2ad

      Download Submit
    • C:\Windows\Installer\MSIE247.tmp
      Filesize

      414KB

      MD5

      cda2f0bb7819921c98e376562f8db1bb

      SHA1

      1a579a1b47c840a85181da8a70fe846084cd83c2

      SHA256

      3294ddfeba71b6718034400e2c40dc1f8f64f2480aff90c38e6b04a9fc2cb1ad

      SHA512

      9058543415ff917dbcf583c1bb99ba41142d3f22617fe3e409a7cf219d9f32ca8d11130e4e7df93025d0e332efd5ba71d54a3d88f9eec4b98e4f2fea9743a2ad

      Download Submit
    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.0MB

      MD5

      529edc06ee6c78b713ce3e5d410355a2

      SHA1

      2054c9cb4f06b62a80ed20d47bcb5251b6feb577

      SHA256

      5a94fbc7e3e3577568f7c35f318c522725f39f9e7e74f68c56f3e6943d58e3f2

      SHA512

      cf337e825f159a5dd13460c697a15c925846609c48521b72534861e0b2d131017ba29e1e663b8f4fd52e1a11ea6b7bec224f24d1cb0168c0d0dcc9fbdcc5f070

      Download Submit
    • \??\Volume{d2616110-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d94e2092-be43-4cc2-a375-06fd284d842b}_OnDiskSnapshotProp
      Filesize

      5KB

      MD5

      7e7755ea13f6f01a09d9e82d7cf4eca5

      SHA1

      6ee19eb175374c9e4945188747be8f2aeb844351

      SHA256

      8dd86899c1152ee612ce3ce7a5273d459ef1024f45e0d8299d0ffa40d1165995

      SHA512

      452e3ec124033c8978a12ac40268d9409a278a829d3f140f9efea7d027862aa2a74279a4f06f820774bed0fd3b0940e3a25d3fecc90340c31131bb4b7fe4f7f3

      Download Submit
    • memory/3552-141-0x00007FF8B1D20000-0x00007FF8B27E1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3552-140-0x000002602CE90000-0x000002602CF00000-memory.dmp
      Filesize

      448KB

      Download
    • memory/3552-139-0x0000026013DA0000-0x0000026013DAA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3552-136-0x0000000000000000-mapping.dmp
      Download
    • memory/3552-146-0x00007FF8B1D20000-0x00007FF8B27E1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3552-138-0x0000026013DD0000-0x0000026013DFE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4600-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4972-133-0x0000000000000000-mapping.dmp
      Download
    • memory/5096-142-0x0000000000000000-mapping.dmp
      Download
    • memory/5096-145-0x0000012A6CBB0000-0x0000012A6CBB9000-memory.dmp
      Filesize

      36KB

      Download