Analysis
-
max time kernel
1791s -
max time network
1795s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
19-12-2022 13:11
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Win_14-12-2022_18-36-29.msi
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Setup_Win_14-12-2022_18-36-29.msi
Resource
win10-20220901-en
General
-
Target
Setup_Win_14-12-2022_18-36-29.msi
-
Size
1.9MB
-
MD5
483a92951b440f2212fbfba38174d8a4
-
SHA1
914b9a827b1937935681a033b1c32a2df97a4874
-
SHA256
63a7d98369925d6e98994cdb5937bd896506665be9f80dc55de7eb6df00f7607
-
SHA512
336d65a516d8503ec939cb52d186b42d1dc41abc253ac85262bd251f4c63f81fa78d8f48122e608c91ec7f6cf43db1daf87c9c26f6636fa6410d10541018a93b
-
SSDEEP
49152:Jr0QHD5a4/7yGe8EsuRMEl73hXNGzchfzYZppUQ:Jr08MuLshh
Malware Config
Extracted
icedid
1002085315
klepdrafooip.com
Signatures
-
Blocklisted process makes network request 30 IoCs
Processes:
rundll32.exeflow pid process 3 1968 rundll32.exe 4 1968 rundll32.exe 5 1968 rundll32.exe 6 1968 rundll32.exe 7 1968 rundll32.exe 9 1968 rundll32.exe 10 1968 rundll32.exe 11 1968 rundll32.exe 12 1968 rundll32.exe 13 1968 rundll32.exe 15 1968 rundll32.exe 16 1968 rundll32.exe 17 1968 rundll32.exe 18 1968 rundll32.exe 19 1968 rundll32.exe 21 1968 rundll32.exe 22 1968 rundll32.exe 23 1968 rundll32.exe 24 1968 rundll32.exe 25 1968 rundll32.exe 27 1968 rundll32.exe 28 1968 rundll32.exe 29 1968 rundll32.exe 30 1968 rundll32.exe 31 1968 rundll32.exe 33 1968 rundll32.exe 34 1968 rundll32.exe 35 1968 rundll32.exe 36 1968 rundll32.exe 37 1968 rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 620 MsiExec.exe 1628 rundll32.exe 1968 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Windows directory 15 IoCs
Processes:
msiexec.exerundll32.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI6E22.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI6E22.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI6E22.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\6c6b9f.msi msiexec.exe File created C:\Windows\Installer\6c6ba2.msi msiexec.exe File created C:\Windows\Installer\6c6b9f.msi msiexec.exe File created C:\Windows\Installer\6c6ba0.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI6E22.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6E22.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI6DA2.tmp msiexec.exe File opened for modification C:\Windows\Installer\6c6ba0.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 940 msiexec.exe 940 msiexec.exe 1968 rundll32.exe 1968 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1204 msiexec.exe Token: SeIncreaseQuotaPrivilege 1204 msiexec.exe Token: SeRestorePrivilege 940 msiexec.exe Token: SeTakeOwnershipPrivilege 940 msiexec.exe Token: SeSecurityPrivilege 940 msiexec.exe Token: SeCreateTokenPrivilege 1204 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1204 msiexec.exe Token: SeLockMemoryPrivilege 1204 msiexec.exe Token: SeIncreaseQuotaPrivilege 1204 msiexec.exe Token: SeMachineAccountPrivilege 1204 msiexec.exe Token: SeTcbPrivilege 1204 msiexec.exe Token: SeSecurityPrivilege 1204 msiexec.exe Token: SeTakeOwnershipPrivilege 1204 msiexec.exe Token: SeLoadDriverPrivilege 1204 msiexec.exe Token: SeSystemProfilePrivilege 1204 msiexec.exe Token: SeSystemtimePrivilege 1204 msiexec.exe Token: SeProfSingleProcessPrivilege 1204 msiexec.exe Token: SeIncBasePriorityPrivilege 1204 msiexec.exe Token: SeCreatePagefilePrivilege 1204 msiexec.exe Token: SeCreatePermanentPrivilege 1204 msiexec.exe Token: SeBackupPrivilege 1204 msiexec.exe Token: SeRestorePrivilege 1204 msiexec.exe Token: SeShutdownPrivilege 1204 msiexec.exe Token: SeDebugPrivilege 1204 msiexec.exe Token: SeAuditPrivilege 1204 msiexec.exe Token: SeSystemEnvironmentPrivilege 1204 msiexec.exe Token: SeChangeNotifyPrivilege 1204 msiexec.exe Token: SeRemoteShutdownPrivilege 1204 msiexec.exe Token: SeUndockPrivilege 1204 msiexec.exe Token: SeSyncAgentPrivilege 1204 msiexec.exe Token: SeEnableDelegationPrivilege 1204 msiexec.exe Token: SeManageVolumePrivilege 1204 msiexec.exe Token: SeImpersonatePrivilege 1204 msiexec.exe Token: SeCreateGlobalPrivilege 1204 msiexec.exe Token: SeBackupPrivilege 560 vssvc.exe Token: SeRestorePrivilege 560 vssvc.exe Token: SeAuditPrivilege 560 vssvc.exe Token: SeBackupPrivilege 940 msiexec.exe Token: SeRestorePrivilege 940 msiexec.exe Token: SeRestorePrivilege 284 DrvInst.exe Token: SeRestorePrivilege 284 DrvInst.exe Token: SeRestorePrivilege 284 DrvInst.exe Token: SeRestorePrivilege 284 DrvInst.exe Token: SeRestorePrivilege 284 DrvInst.exe Token: SeRestorePrivilege 284 DrvInst.exe Token: SeRestorePrivilege 284 DrvInst.exe Token: SeLoadDriverPrivilege 284 DrvInst.exe Token: SeLoadDriverPrivilege 284 DrvInst.exe Token: SeLoadDriverPrivilege 284 DrvInst.exe Token: SeRestorePrivilege 940 msiexec.exe Token: SeTakeOwnershipPrivilege 940 msiexec.exe Token: SeRestorePrivilege 940 msiexec.exe Token: SeTakeOwnershipPrivilege 940 msiexec.exe Token: SeRestorePrivilege 940 msiexec.exe Token: SeTakeOwnershipPrivilege 940 msiexec.exe Token: SeRestorePrivilege 940 msiexec.exe Token: SeTakeOwnershipPrivilege 940 msiexec.exe Token: SeRestorePrivilege 940 msiexec.exe Token: SeTakeOwnershipPrivilege 940 msiexec.exe Token: SeRestorePrivilege 940 msiexec.exe Token: SeTakeOwnershipPrivilege 940 msiexec.exe Token: SeRestorePrivilege 940 msiexec.exe Token: SeTakeOwnershipPrivilege 940 msiexec.exe Token: SeRestorePrivilege 940 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1204 msiexec.exe 1204 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 940 wrote to memory of 620 940 msiexec.exe MsiExec.exe PID 940 wrote to memory of 620 940 msiexec.exe MsiExec.exe PID 940 wrote to memory of 620 940 msiexec.exe MsiExec.exe PID 940 wrote to memory of 620 940 msiexec.exe MsiExec.exe PID 940 wrote to memory of 620 940 msiexec.exe MsiExec.exe PID 620 wrote to memory of 1628 620 MsiExec.exe rundll32.exe PID 620 wrote to memory of 1628 620 MsiExec.exe rundll32.exe PID 620 wrote to memory of 1628 620 MsiExec.exe rundll32.exe PID 1628 wrote to memory of 1968 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 1968 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 1968 1628 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_14-12-2022_18-36-29.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 53C70EAA275ED0334629DE42AD96E1A72⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI6E22.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7106266 1 test.cs!XXX.YyY.ZzZ3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSIa24a59f5.mst",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A0" "000000000000049C"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MSIa24a59f5.mstFilesize
1.4MB
MD5ddc204b27174d22b5bbf10819bf30707
SHA1c70473bc99e2fec21c1bc305a1f81ea3d52aaed0
SHA2567e5da5fcda0da494da85cdc76384b3b08f135f09f20e582e049486e8ae2f168e
SHA5128f3c9a8ec15458b2302a1914fc8408c156a88b872982122c2171c7290679e14f51268b1f5c405143322e99c71e7eb7ff24f1c4492f01ce76ecdbe965fb880adf
-
C:\Windows\Installer\MSI6E22.tmpFilesize
414KB
MD5cda2f0bb7819921c98e376562f8db1bb
SHA11a579a1b47c840a85181da8a70fe846084cd83c2
SHA2563294ddfeba71b6718034400e2c40dc1f8f64f2480aff90c38e6b04a9fc2cb1ad
SHA5129058543415ff917dbcf583c1bb99ba41142d3f22617fe3e409a7cf219d9f32ca8d11130e4e7df93025d0e332efd5ba71d54a3d88f9eec4b98e4f2fea9743a2ad
-
\Users\Admin\AppData\Local\MSIa24a59f5.mstFilesize
1.4MB
MD5ddc204b27174d22b5bbf10819bf30707
SHA1c70473bc99e2fec21c1bc305a1f81ea3d52aaed0
SHA2567e5da5fcda0da494da85cdc76384b3b08f135f09f20e582e049486e8ae2f168e
SHA5128f3c9a8ec15458b2302a1914fc8408c156a88b872982122c2171c7290679e14f51268b1f5c405143322e99c71e7eb7ff24f1c4492f01ce76ecdbe965fb880adf
-
\Windows\Installer\MSI6E22.tmpFilesize
414KB
MD5cda2f0bb7819921c98e376562f8db1bb
SHA11a579a1b47c840a85181da8a70fe846084cd83c2
SHA2563294ddfeba71b6718034400e2c40dc1f8f64f2480aff90c38e6b04a9fc2cb1ad
SHA5129058543415ff917dbcf583c1bb99ba41142d3f22617fe3e409a7cf219d9f32ca8d11130e4e7df93025d0e332efd5ba71d54a3d88f9eec4b98e4f2fea9743a2ad
-
\Windows\Installer\MSI6E22.tmpFilesize
414KB
MD5cda2f0bb7819921c98e376562f8db1bb
SHA11a579a1b47c840a85181da8a70fe846084cd83c2
SHA2563294ddfeba71b6718034400e2c40dc1f8f64f2480aff90c38e6b04a9fc2cb1ad
SHA5129058543415ff917dbcf583c1bb99ba41142d3f22617fe3e409a7cf219d9f32ca8d11130e4e7df93025d0e332efd5ba71d54a3d88f9eec4b98e4f2fea9743a2ad
-
memory/620-56-0x0000000000000000-mapping.dmp
-
memory/1204-54-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmpFilesize
8KB
-
memory/1628-62-0x0000000002110000-0x000000000213E000-memory.dmpFilesize
184KB
-
memory/1628-64-0x000000001A720000-0x000000001A790000-memory.dmpFilesize
448KB
-
memory/1628-63-0x0000000001DA0000-0x0000000001DAA000-memory.dmpFilesize
40KB
-
memory/1628-60-0x0000000000000000-mapping.dmp
-
memory/1968-66-0x0000000000000000-mapping.dmp
-
memory/1968-69-0x0000000000320000-0x0000000000329000-memory.dmpFilesize
36KB