Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
31-12-2022 06:52
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Win_31-12-2022_01-50-16.msi
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Setup_Win_31-12-2022_01-50-16.msi
Resource
win10v2004-20221111-en
General
-
Target
Setup_Win_31-12-2022_01-50-16.msi
-
Size
772KB
-
MD5
4509edb7effdfc57e288bb7b23fa0180
-
SHA1
edd9910a9b2774e5a9a36ca096d299b092556016
-
SHA256
c0a063352598eae28f226207503d864a06f5490497b074a9390927793ea16bfd
-
SHA512
c6a321a42f6235e89b9c256ccdc2d697437baa07574c4da12e65a8c225a007f5da7a6e9b8e14d88a27de19d7b78b5375e3938c5be9054fa62f645fe2420afda0
-
SSDEEP
12288:TwHL0DpsMX/wg4ZqU0UmmhtNOOdpxoPcrDnS34y9RPF8L:0HL0tvwglMtNjjoGS3bRPF8L
Malware Config
Extracted
icedid
2957048208
whothitheka.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 2 1732 rundll32.exe 4 1732 rundll32.exe 5 1732 rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 1560 MsiExec.exe 684 rundll32.exe 1732 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 15 IoCs
Processes:
DrvInst.exemsiexec.exerundll32.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI711E.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI711E.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\6c6e0f.msi msiexec.exe File opened for modification C:\Windows\Installer\6c6e10.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI711E.tmp msiexec.exe File created C:\Windows\Installer\6c6e10.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI7051.tmp msiexec.exe File created C:\Windows\Installer\6c6e12.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\6c6e0f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI711E.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI711E.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 1492 msiexec.exe 1492 msiexec.exe 1732 rundll32.exe 1732 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 1632 msiexec.exe Token: SeIncreaseQuotaPrivilege 1632 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeSecurityPrivilege 1492 msiexec.exe Token: SeCreateTokenPrivilege 1632 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1632 msiexec.exe Token: SeLockMemoryPrivilege 1632 msiexec.exe Token: SeIncreaseQuotaPrivilege 1632 msiexec.exe Token: SeMachineAccountPrivilege 1632 msiexec.exe Token: SeTcbPrivilege 1632 msiexec.exe Token: SeSecurityPrivilege 1632 msiexec.exe Token: SeTakeOwnershipPrivilege 1632 msiexec.exe Token: SeLoadDriverPrivilege 1632 msiexec.exe Token: SeSystemProfilePrivilege 1632 msiexec.exe Token: SeSystemtimePrivilege 1632 msiexec.exe Token: SeProfSingleProcessPrivilege 1632 msiexec.exe Token: SeIncBasePriorityPrivilege 1632 msiexec.exe Token: SeCreatePagefilePrivilege 1632 msiexec.exe Token: SeCreatePermanentPrivilege 1632 msiexec.exe Token: SeBackupPrivilege 1632 msiexec.exe Token: SeRestorePrivilege 1632 msiexec.exe Token: SeShutdownPrivilege 1632 msiexec.exe Token: SeDebugPrivilege 1632 msiexec.exe Token: SeAuditPrivilege 1632 msiexec.exe Token: SeSystemEnvironmentPrivilege 1632 msiexec.exe Token: SeChangeNotifyPrivilege 1632 msiexec.exe Token: SeRemoteShutdownPrivilege 1632 msiexec.exe Token: SeUndockPrivilege 1632 msiexec.exe Token: SeSyncAgentPrivilege 1632 msiexec.exe Token: SeEnableDelegationPrivilege 1632 msiexec.exe Token: SeManageVolumePrivilege 1632 msiexec.exe Token: SeImpersonatePrivilege 1632 msiexec.exe Token: SeCreateGlobalPrivilege 1632 msiexec.exe Token: SeBackupPrivilege 580 vssvc.exe Token: SeRestorePrivilege 580 vssvc.exe Token: SeAuditPrivilege 580 vssvc.exe Token: SeBackupPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1400 DrvInst.exe Token: SeRestorePrivilege 1400 DrvInst.exe Token: SeRestorePrivilege 1400 DrvInst.exe Token: SeRestorePrivilege 1400 DrvInst.exe Token: SeRestorePrivilege 1400 DrvInst.exe Token: SeRestorePrivilege 1400 DrvInst.exe Token: SeRestorePrivilege 1400 DrvInst.exe Token: SeLoadDriverPrivilege 1400 DrvInst.exe Token: SeLoadDriverPrivilege 1400 DrvInst.exe Token: SeLoadDriverPrivilege 1400 DrvInst.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe Token: SeTakeOwnershipPrivilege 1492 msiexec.exe Token: SeRestorePrivilege 1492 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1632 msiexec.exe 1632 msiexec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 1492 wrote to memory of 1560 1492 msiexec.exe MsiExec.exe PID 1492 wrote to memory of 1560 1492 msiexec.exe MsiExec.exe PID 1492 wrote to memory of 1560 1492 msiexec.exe MsiExec.exe PID 1492 wrote to memory of 1560 1492 msiexec.exe MsiExec.exe PID 1492 wrote to memory of 1560 1492 msiexec.exe MsiExec.exe PID 1560 wrote to memory of 684 1560 MsiExec.exe rundll32.exe PID 1560 wrote to memory of 684 1560 MsiExec.exe rundll32.exe PID 1560 wrote to memory of 684 1560 MsiExec.exe rundll32.exe PID 684 wrote to memory of 1732 684 rundll32.exe rundll32.exe PID 684 wrote to memory of 1732 684 rundll32.exe rundll32.exe PID 684 wrote to memory of 1732 684 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_31-12-2022_01-50-16.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1632
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding E9D033A5DCDC274DA40E24CE4BAD81272⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI711E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7107140 1 test.cs!X1X3X2.Y1yY.Z3z1Z3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSIfffa8806.msi",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1732
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:580
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000049C" "0000000000000060"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1400
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MSIfffa8806.msiFilesize
323KB
MD5460cf4e821b22e1b3df659a01ee8fb0a
SHA11c5ea14ff5f7be7e3d3a62a0d531fc7d0d0a3bf8
SHA256338c4e044fcd4f8b7429558c283eb13769e0e6afcbf14e9c6bc64d5cc9e3d79a
SHA512c7bf8859feb207a1178e82402c82c8e4dbaaeae1de4c5220f22a874a8d01fa1944ad91c1d3157bc3f6c1b964a8ac16ab8d00c65fbfdc5d67c7b390afcbe3aec4
-
C:\Windows\Installer\MSI711E.tmpFilesize
414KB
MD593de80a9ce7643dd46c5486de3bbd321
SHA1af84880e7259b812abc4d1bd4390d594e05f0f75
SHA256e389c34819359687adc18cf20534842b9e66dc101ea8497e70d0ae217f7081eb
SHA5120b0394914c6ca4ae401244f9690760f56937f69e6dc2b65033e3586aaa479508b13ae4b1f5a7308d96834756a8ca1ae97b6f5b360f2c429794c170c42e4e0c16
-
\Users\Admin\AppData\Local\MSIfffa8806.msiFilesize
323KB
MD5460cf4e821b22e1b3df659a01ee8fb0a
SHA11c5ea14ff5f7be7e3d3a62a0d531fc7d0d0a3bf8
SHA256338c4e044fcd4f8b7429558c283eb13769e0e6afcbf14e9c6bc64d5cc9e3d79a
SHA512c7bf8859feb207a1178e82402c82c8e4dbaaeae1de4c5220f22a874a8d01fa1944ad91c1d3157bc3f6c1b964a8ac16ab8d00c65fbfdc5d67c7b390afcbe3aec4
-
\Windows\Installer\MSI711E.tmpFilesize
414KB
MD593de80a9ce7643dd46c5486de3bbd321
SHA1af84880e7259b812abc4d1bd4390d594e05f0f75
SHA256e389c34819359687adc18cf20534842b9e66dc101ea8497e70d0ae217f7081eb
SHA5120b0394914c6ca4ae401244f9690760f56937f69e6dc2b65033e3586aaa479508b13ae4b1f5a7308d96834756a8ca1ae97b6f5b360f2c429794c170c42e4e0c16
-
\Windows\Installer\MSI711E.tmpFilesize
414KB
MD593de80a9ce7643dd46c5486de3bbd321
SHA1af84880e7259b812abc4d1bd4390d594e05f0f75
SHA256e389c34819359687adc18cf20534842b9e66dc101ea8497e70d0ae217f7081eb
SHA5120b0394914c6ca4ae401244f9690760f56937f69e6dc2b65033e3586aaa479508b13ae4b1f5a7308d96834756a8ca1ae97b6f5b360f2c429794c170c42e4e0c16
-
memory/684-62-0x0000000001BC0000-0x0000000001BEE000-memory.dmpFilesize
184KB
-
memory/684-63-0x0000000000410000-0x000000000041A000-memory.dmpFilesize
40KB
-
memory/684-64-0x0000000001C90000-0x0000000001D00000-memory.dmpFilesize
448KB
-
memory/684-60-0x0000000000000000-mapping.dmp
-
memory/1560-56-0x0000000000000000-mapping.dmp
-
memory/1632-54-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmpFilesize
8KB
-
memory/1732-66-0x0000000000000000-mapping.dmp
-
memory/1732-69-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB