icedid | 63a7d98369925d6e98994cdb5937bd896506665be9f80dc55de7eb6df00f7607

General

Target

Setup_Win_14-12-2022_18-36-29.msi
Size

1.9MB
MD5

483a92951b440f2212fbfba38174d8a4
SHA1

914b9a827b1937935681a033b1c32a2df97a4874
SHA256

63a7d98369925d6e98994cdb5937bd896506665be9f80dc55de7eb6df00f7607
SHA512

336d65a516d8503ec939cb52d186b42d1dc41abc253ac85262bd251f4c63f81fa78d8f48122e608c91ec7f6cf43db1daf87c9c26f6636fa6410d10541018a93b
SSDEEP

49152:Jr0QHD5a4/7yGe8EsuRMEl73hXNGzchfzYZppUQ:Jr08MuLshh

Score

10^/10

icedid 1002085315 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

1002085315

C2

klepdrafooip.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Blocklisted process makes network request 30 IoCs

Processes:

rundll32.exe

flow	pid	process
10	2964	rundll32.exe
15	2964	rundll32.exe
16	2964	rundll32.exe
17	2964	rundll32.exe
18	2964	rundll32.exe
24	2964	rundll32.exe
27	2964	rundll32.exe
28	2964	rundll32.exe
29	2964	rundll32.exe
30	2964	rundll32.exe
32	2964	rundll32.exe
33	2964	rundll32.exe
34	2964	rundll32.exe
35	2964	rundll32.exe
36	2964	rundll32.exe
38	2964	rundll32.exe
39	2964	rundll32.exe
40	2964	rundll32.exe
41	2964	rundll32.exe
42	2964	rundll32.exe
44	2964	rundll32.exe
45	2964	rundll32.exe
46	2964	rundll32.exe
47	2964	rundll32.exe
48	2964	rundll32.exe
50	2964	rundll32.exe
51	2964	rundll32.exe
52	2964	rundll32.exe
53	2964	rundll32.exe
54	2964	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

4360 MsiExec.exe
4452 rundll32.exe
2964 rundll32.exe

pid	process
4360	MsiExec.exe
4452	rundll32.exe
2964	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e5708ab.msi	msiexec.exe
File created	C:\Windows\Installer\e5708ad.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE0.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE0.tmp-\test.cs.dll	rundll32.exe
File created	C:\Windows\Installer\e5708ab.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA41.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE0.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAE0.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exerundll32.exe

pid process

3352 msiexec.exe
3352 msiexec.exe
2964 rundll32.exe
2964 rundll32.exe

pid	process
3352	msiexec.exe
3352	msiexec.exe
2964	rundll32.exe
2964	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	2484	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2484	msiexec.exe
Token: SeSecurityPrivilege	3352	msiexec.exe
Token: SeCreateTokenPrivilege	2484	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2484	msiexec.exe
Token: SeLockMemoryPrivilege	2484	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2484	msiexec.exe
Token: SeMachineAccountPrivilege	2484	msiexec.exe
Token: SeTcbPrivilege	2484	msiexec.exe
Token: SeSecurityPrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeLoadDriverPrivilege	2484	msiexec.exe
Token: SeSystemProfilePrivilege	2484	msiexec.exe
Token: SeSystemtimePrivilege	2484	msiexec.exe
Token: SeProfSingleProcessPrivilege	2484	msiexec.exe
Token: SeIncBasePriorityPrivilege	2484	msiexec.exe
Token: SeCreatePagefilePrivilege	2484	msiexec.exe
Token: SeCreatePermanentPrivilege	2484	msiexec.exe
Token: SeBackupPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeShutdownPrivilege	2484	msiexec.exe
Token: SeDebugPrivilege	2484	msiexec.exe
Token: SeAuditPrivilege	2484	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2484	msiexec.exe
Token: SeChangeNotifyPrivilege	2484	msiexec.exe
Token: SeRemoteShutdownPrivilege	2484	msiexec.exe
Token: SeUndockPrivilege	2484	msiexec.exe
Token: SeSyncAgentPrivilege	2484	msiexec.exe
Token: SeEnableDelegationPrivilege	2484	msiexec.exe
Token: SeManageVolumePrivilege	2484	msiexec.exe
Token: SeImpersonatePrivilege	2484	msiexec.exe
Token: SeCreateGlobalPrivilege	2484	msiexec.exe
Token: SeBackupPrivilege	1848	vssvc.exe
Token: SeRestorePrivilege	1848	vssvc.exe
Token: SeAuditPrivilege	1848	vssvc.exe
Token: SeBackupPrivilege	3352	msiexec.exe
Token: SeRestorePrivilege	3352	msiexec.exe
Token: SeRestorePrivilege	3352	msiexec.exe
Token: SeTakeOwnershipPrivilege	3352	msiexec.exe
Token: SeRestorePrivilege	3352	msiexec.exe
Token: SeTakeOwnershipPrivilege	3352	msiexec.exe
Token: SeRestorePrivilege	3352	msiexec.exe
Token: SeTakeOwnershipPrivilege	3352	msiexec.exe
Token: SeRestorePrivilege	3352	msiexec.exe
Token: SeTakeOwnershipPrivilege	3352	msiexec.exe
Token: SeRestorePrivilege	3352	msiexec.exe
Token: SeTakeOwnershipPrivilege	3352	msiexec.exe
Token: SeRestorePrivilege	3352	msiexec.exe
Token: SeTakeOwnershipPrivilege	3352	msiexec.exe
Token: SeRestorePrivilege	3352	msiexec.exe
Token: SeTakeOwnershipPrivilege	3352	msiexec.exe
Token: SeRestorePrivilege	3352	msiexec.exe
Token: SeTakeOwnershipPrivilege	3352	msiexec.exe
Token: SeRestorePrivilege	3352	msiexec.exe
Token: SeTakeOwnershipPrivilege	3352	msiexec.exe
Token: SeRestorePrivilege	3352	msiexec.exe
Token: SeTakeOwnershipPrivilege	3352	msiexec.exe
Token: SeRestorePrivilege	3352	msiexec.exe
Token: SeTakeOwnershipPrivilege	3352	msiexec.exe
Token: SeRestorePrivilege	3352	msiexec.exe
Token: SeTakeOwnershipPrivilege	3352	msiexec.exe
Token: SeRestorePrivilege	3352	msiexec.exe
Token: SeTakeOwnershipPrivilege	3352	msiexec.exe
Token: SeRestorePrivilege	3352	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2484 msiexec.exe
2484 msiexec.exe

pid	process
2484	msiexec.exe
2484	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 3352 wrote to memory of 4924	3352	msiexec.exe	srtasks.exe
PID 3352 wrote to memory of 4924	3352	msiexec.exe	srtasks.exe
PID 3352 wrote to memory of 4360	3352	msiexec.exe	MsiExec.exe
PID 3352 wrote to memory of 4360	3352	msiexec.exe	MsiExec.exe
PID 4360 wrote to memory of 4452	4360	MsiExec.exe	rundll32.exe
PID 4360 wrote to memory of 4452	4360	MsiExec.exe	rundll32.exe
PID 4452 wrote to memory of 2964	4452	rundll32.exe	rundll32.exe
PID 4452 wrote to memory of 2964	4452	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_14-12-2022_18-36-29.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2484

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4924

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 8AC8D1EC7583A172AD2C62D676632653
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIAE0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240585625 2 test.cs!XXX.YyY.ZzZ
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSIc07fc405.mst",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MSIc07fc405.mst
Filesize
1.4MB

MD5
ddc204b27174d22b5bbf10819bf30707

SHA1
c70473bc99e2fec21c1bc305a1f81ea3d52aaed0

SHA256
7e5da5fcda0da494da85cdc76384b3b08f135f09f20e582e049486e8ae2f168e

SHA512
8f3c9a8ec15458b2302a1914fc8408c156a88b872982122c2171c7290679e14f51268b1f5c405143322e99c71e7eb7ff24f1c4492f01ce76ecdbe965fb880adf

Download Submit
C:\Windows\Installer\MSIAE0.tmp
Filesize
414KB

MD5
cda2f0bb7819921c98e376562f8db1bb

SHA1
1a579a1b47c840a85181da8a70fe846084cd83c2

SHA256
3294ddfeba71b6718034400e2c40dc1f8f64f2480aff90c38e6b04a9fc2cb1ad

SHA512
9058543415ff917dbcf583c1bb99ba41142d3f22617fe3e409a7cf219d9f32ca8d11130e4e7df93025d0e332efd5ba71d54a3d88f9eec4b98e4f2fea9743a2ad

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
25.0MB

MD5
f240871ff7ace91231cd65d5c90fc356

SHA1
ef9e46c87dae843c2106b063c5cd536483bec3d6

SHA256
cf659a2d1881253fc4028a7263613713fed406dcb417e378d3d3ea9f2d5bbf31

SHA512
e4bd8f85eae956bc70a58f1bfeffc55ea9a17c25ad55ba00613641183a29770424bde4867d7d9893f377b4cb1fd2d49ebb657cd24ab715b9ff7f2bfca6603e52

Download Submit
\??\Volume{b79df8d1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c0e2ae3a-d7ac-4c44-ada6-c308a602a905}_OnDiskSnapshotProp
Filesize
5KB

MD5
9b7a51bdeec8f5ddbcb8a5d89901dfb8

SHA1
9388487a1531a38b5da40aa9c3d7118bed015362

SHA256
b353e9425cd55dc7b13bc4a504e281da70d1bc3112010566a5b5645555ab3a8d

SHA512
c45d8db4297a56a68711b376732a8e2cec5d785663eeef5d4fcdff092de740042d34a3bf798873b336534e6bb3f6049db8721bc6d0abd9f64c0c4a404d2fffef

Download Submit
\Users\Admin\AppData\Local\MSIc07fc405.mst
Filesize
1.4MB

MD5
ddc204b27174d22b5bbf10819bf30707

SHA1
c70473bc99e2fec21c1bc305a1f81ea3d52aaed0

SHA256
7e5da5fcda0da494da85cdc76384b3b08f135f09f20e582e049486e8ae2f168e

SHA512
8f3c9a8ec15458b2302a1914fc8408c156a88b872982122c2171c7290679e14f51268b1f5c405143322e99c71e7eb7ff24f1c4492f01ce76ecdbe965fb880adf

Download Submit
\Windows\Installer\MSIAE0.tmp
Filesize
414KB

MD5
cda2f0bb7819921c98e376562f8db1bb

SHA1
1a579a1b47c840a85181da8a70fe846084cd83c2

SHA256
3294ddfeba71b6718034400e2c40dc1f8f64f2480aff90c38e6b04a9fc2cb1ad

SHA512
9058543415ff917dbcf583c1bb99ba41142d3f22617fe3e409a7cf219d9f32ca8d11130e4e7df93025d0e332efd5ba71d54a3d88f9eec4b98e4f2fea9743a2ad

Download Submit
\Windows\Installer\MSIAE0.tmp
Filesize
414KB

MD5
cda2f0bb7819921c98e376562f8db1bb

SHA1
1a579a1b47c840a85181da8a70fe846084cd83c2

SHA256
3294ddfeba71b6718034400e2c40dc1f8f64f2480aff90c38e6b04a9fc2cb1ad

SHA512
9058543415ff917dbcf583c1bb99ba41142d3f22617fe3e409a7cf219d9f32ca8d11130e4e7df93025d0e332efd5ba71d54a3d88f9eec4b98e4f2fea9743a2ad

Download Submit
memory/2964-150-0x0000025F157F0000-0x0000025F157F9000-memory.dmp

Filesize
36KB

Download
memory/2964-145-0x0000000000000000-mapping.dmp

Download
memory/4360-125-0x0000000000000000-mapping.dmp

Download
memory/4452-130-0x0000000000000000-mapping.dmp

Download
memory/4452-140-0x00000220C2090000-0x00000220C2100000-memory.dmp

Filesize
448KB

Download
memory/4452-139-0x00000220A9AC0000-0x00000220A9ACA000-memory.dmp

Filesize
40KB

Download
memory/4452-135-0x00000220A9AE0000-0x00000220A9B0E000-memory.dmp

Filesize
184KB

Download
memory/4924-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads