Analysis
-
max time kernel
133s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Win_19-12-2022_13-01-59.msi
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Setup_Win_19-12-2022_13-01-59.msi
Resource
win10v2004-20220812-en
General
-
Target
Setup_Win_19-12-2022_13-01-59.msi
-
Size
1.6MB
-
MD5
1288db9034ce84b91c7d9a66214917ce
-
SHA1
1732dca74c60413d35bb7fe95f3485de4c84e095
-
SHA256
1e85bf506aeb16fac2ce8e8c873991abe86d5afa2ad0148d57b4f080a675ede8
-
SHA512
9ea1f54d646257ec77b98973224cca610a191456cf565897fa74fda3ff6ea602398c7133d0b641f2746e5c58f30cf31f93f7b221fb499f2aed1420e34df494de
-
SSDEEP
24576:aHL0lvwglMtNroES7S8asBci5cRMyBAUIqw5NOcH9iIDMNUEer0OVTm10ku2w:ar0eglMbr3SWpsWjRMMKIIDB/k
Malware Config
Extracted
icedid
1228806356
klepdrafooip.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 54 3020 rundll32.exe 58 3020 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 2632 MsiExec.exe 3488 rundll32.exe 3020 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\Installer\MSICFE4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICFE4.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSICFE4.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSICFE4.tmp-\WixSharp.dll rundll32.exe File created C:\Windows\Installer\e57cca6.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSICEF8.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File created C:\Windows\Installer\e57cca8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSICFE4.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\e57cca6.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007c4a2b5d7b48cb040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007c4a2b5d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809007c4a2b5d000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 4940 msiexec.exe 4940 msiexec.exe 3020 rundll32.exe 3020 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1504 msiexec.exe Token: SeIncreaseQuotaPrivilege 1504 msiexec.exe Token: SeSecurityPrivilege 4940 msiexec.exe Token: SeCreateTokenPrivilege 1504 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1504 msiexec.exe Token: SeLockMemoryPrivilege 1504 msiexec.exe Token: SeIncreaseQuotaPrivilege 1504 msiexec.exe Token: SeMachineAccountPrivilege 1504 msiexec.exe Token: SeTcbPrivilege 1504 msiexec.exe Token: SeSecurityPrivilege 1504 msiexec.exe Token: SeTakeOwnershipPrivilege 1504 msiexec.exe Token: SeLoadDriverPrivilege 1504 msiexec.exe Token: SeSystemProfilePrivilege 1504 msiexec.exe Token: SeSystemtimePrivilege 1504 msiexec.exe Token: SeProfSingleProcessPrivilege 1504 msiexec.exe Token: SeIncBasePriorityPrivilege 1504 msiexec.exe Token: SeCreatePagefilePrivilege 1504 msiexec.exe Token: SeCreatePermanentPrivilege 1504 msiexec.exe Token: SeBackupPrivilege 1504 msiexec.exe Token: SeRestorePrivilege 1504 msiexec.exe Token: SeShutdownPrivilege 1504 msiexec.exe Token: SeDebugPrivilege 1504 msiexec.exe Token: SeAuditPrivilege 1504 msiexec.exe Token: SeSystemEnvironmentPrivilege 1504 msiexec.exe Token: SeChangeNotifyPrivilege 1504 msiexec.exe Token: SeRemoteShutdownPrivilege 1504 msiexec.exe Token: SeUndockPrivilege 1504 msiexec.exe Token: SeSyncAgentPrivilege 1504 msiexec.exe Token: SeEnableDelegationPrivilege 1504 msiexec.exe Token: SeManageVolumePrivilege 1504 msiexec.exe Token: SeImpersonatePrivilege 1504 msiexec.exe Token: SeCreateGlobalPrivilege 1504 msiexec.exe Token: SeBackupPrivilege 2740 vssvc.exe Token: SeRestorePrivilege 2740 vssvc.exe Token: SeAuditPrivilege 2740 vssvc.exe Token: SeBackupPrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe Token: SeTakeOwnershipPrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe Token: SeTakeOwnershipPrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe Token: SeTakeOwnershipPrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe Token: SeTakeOwnershipPrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe Token: SeTakeOwnershipPrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe Token: SeTakeOwnershipPrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe Token: SeTakeOwnershipPrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe Token: SeTakeOwnershipPrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe Token: SeTakeOwnershipPrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe Token: SeTakeOwnershipPrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe Token: SeTakeOwnershipPrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe Token: SeTakeOwnershipPrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe Token: SeTakeOwnershipPrivilege 4940 msiexec.exe Token: SeRestorePrivilege 4940 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1504 msiexec.exe 1504 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 4940 wrote to memory of 3084 4940 msiexec.exe srtasks.exe PID 4940 wrote to memory of 3084 4940 msiexec.exe srtasks.exe PID 4940 wrote to memory of 2632 4940 msiexec.exe MsiExec.exe PID 4940 wrote to memory of 2632 4940 msiexec.exe MsiExec.exe PID 2632 wrote to memory of 3488 2632 MsiExec.exe rundll32.exe PID 2632 wrote to memory of 3488 2632 MsiExec.exe rundll32.exe PID 3488 wrote to memory of 3020 3488 rundll32.exe rundll32.exe PID 3488 wrote to memory of 3020 3488 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_19-12-2022_13-01-59.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 54EE5EE18C14A017152973ED9E7C168F2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSICFE4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240636062 2 test.cs!X1X3X2.Y1yY.Z3z1Z3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSIeebd5e4e.msi",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MSIeebd5e4e.msiFilesize
1.2MB
MD52e39f1486c47b0ea7f3a03b01963c801
SHA139774ad2b8251f80647eac7df69aaca01a9d9502
SHA256cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d
SHA5120412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae
-
C:\Users\Admin\AppData\Local\MSIeebd5e4e.msiFilesize
1.2MB
MD52e39f1486c47b0ea7f3a03b01963c801
SHA139774ad2b8251f80647eac7df69aaca01a9d9502
SHA256cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d
SHA5120412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae
-
C:\Windows\Installer\MSICFE4.tmpFilesize
414KB
MD536b5eecaf5207376081e459423d3f3fb
SHA13ebd5d7e10a09f2f005d369b28200b9ccdcb300c
SHA2568b80a7f390a25b5ab5e24cff4fb343e66f357844a49e1ea0fa39cbec2e6f3aa3
SHA512f269a11d69ed8b70eba76e4e61f0d4d0aad324447dbe5e9cabd994d24c9655dbde0acb82ce8cbed1ab65b2eaff588c6c96fec14b490774e5a4db28b286ec5aac
-
C:\Windows\Installer\MSICFE4.tmpFilesize
414KB
MD536b5eecaf5207376081e459423d3f3fb
SHA13ebd5d7e10a09f2f005d369b28200b9ccdcb300c
SHA2568b80a7f390a25b5ab5e24cff4fb343e66f357844a49e1ea0fa39cbec2e6f3aa3
SHA512f269a11d69ed8b70eba76e4e61f0d4d0aad324447dbe5e9cabd994d24c9655dbde0acb82ce8cbed1ab65b2eaff588c6c96fec14b490774e5a4db28b286ec5aac
-
C:\Windows\Installer\MSICFE4.tmpFilesize
414KB
MD536b5eecaf5207376081e459423d3f3fb
SHA13ebd5d7e10a09f2f005d369b28200b9ccdcb300c
SHA2568b80a7f390a25b5ab5e24cff4fb343e66f357844a49e1ea0fa39cbec2e6f3aa3
SHA512f269a11d69ed8b70eba76e4e61f0d4d0aad324447dbe5e9cabd994d24c9655dbde0acb82ce8cbed1ab65b2eaff588c6c96fec14b490774e5a4db28b286ec5aac
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD56c8fc1db7ce7ebe8f14966ae8fef4b3d
SHA1641dcad57d027424e7c7f0c7f70175de8805c6e7
SHA256026f2af7a8c898c226eb991d7a4f975abdfd1bb551806a107bdbf2c57812ff39
SHA512c0aac0e8af184ac504804de8e29e5555d62f29cf369f3ce22d462946bd108f817497e1bb4782a2e1454a4492eeffe7c021c07e9757dfb4058859770c8d28800e
-
\??\Volume{5d2b4a7c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8354c29e-d2ee-4fac-bb40-8d26160161ce}_OnDiskSnapshotPropFilesize
5KB
MD554e32bf0a2a6f116285451c607a131a6
SHA1c4caaf1d5ee2b54179c73c1532223db28a79b094
SHA256150608e45a75878ddd80c53e51ca34033a34c0d99414d061443de75fe09a82d2
SHA512c9f1bba8d1e08e0d293eb73eae8c38f2a8643df4d3a885e982fe449ad1d1e30429b8bb8d28b8b471a5cc358cba13105707adb48b3036def994e3475e6d580ebc
-
memory/2632-133-0x0000000000000000-mapping.dmp
-
memory/3020-146-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/3020-142-0x0000000000000000-mapping.dmp
-
memory/3084-132-0x0000000000000000-mapping.dmp
-
memory/3488-138-0x00000279C9560000-0x00000279C958E000-memory.dmpFilesize
184KB
-
memory/3488-140-0x00000279C9740000-0x00000279C97B0000-memory.dmpFilesize
448KB
-
memory/3488-145-0x00007FF8EBBA0000-0x00007FF8EC661000-memory.dmpFilesize
10.8MB
-
memory/3488-141-0x00007FF8EBBA0000-0x00007FF8EC661000-memory.dmpFilesize
10.8MB
-
memory/3488-139-0x00000279C9530000-0x00000279C953A000-memory.dmpFilesize
40KB
-
memory/3488-136-0x0000000000000000-mapping.dmp