Analysis
-
max time kernel
116s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-01-2023 08:45
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Win_03-01-2023_08-37-05.msi
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Setup_Win_03-01-2023_08-37-05.msi
Resource
win10v2004-20220812-en
General
-
Target
Setup_Win_03-01-2023_08-37-05.msi
-
Size
772KB
-
MD5
f2d5895a8e66ef63e687e356dac665cf
-
SHA1
d5ec3af492980df0bcbca26ceb864177978ef69d
-
SHA256
6b4239bdb1080b21570feba7058d87b35e18bc74c20c68611c2012002b8a0aa3
-
SHA512
d1ff00a258a811f395e91dcca6a22e8dd839aef606f74d2ef78391e01d4ce13d490903b6d9378c114ba0f880cb698d76027e62e3832ea1a97fe4ba8cfb4bb1a8
-
SSDEEP
12288:GwHL0DpPMX/wg4ZqU0UmmhtNOOdpxoPcrDnS34y9RPF8L:vHL02vwglMtNjjoGS3bRPF8L
Malware Config
Extracted
icedid
2957048208
whothitheka.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 48 4820 rundll32.exe 53 4820 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 2868 MsiExec.exe 4556 rundll32.exe 4820 rundll32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File created C:\Windows\Installer\e579d0d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA038.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA038.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIA038.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\e579d0b.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI9F4D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA038.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIA038.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\e579d0b.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007c4a2b5d7b48cb040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007c4a2b5d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809007c4a2b5d000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exerundll32.exepid process 4912 msiexec.exe 4912 msiexec.exe 4820 rundll32.exe 4820 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 3496 msiexec.exe Token: SeIncreaseQuotaPrivilege 3496 msiexec.exe Token: SeSecurityPrivilege 4912 msiexec.exe Token: SeCreateTokenPrivilege 3496 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3496 msiexec.exe Token: SeLockMemoryPrivilege 3496 msiexec.exe Token: SeIncreaseQuotaPrivilege 3496 msiexec.exe Token: SeMachineAccountPrivilege 3496 msiexec.exe Token: SeTcbPrivilege 3496 msiexec.exe Token: SeSecurityPrivilege 3496 msiexec.exe Token: SeTakeOwnershipPrivilege 3496 msiexec.exe Token: SeLoadDriverPrivilege 3496 msiexec.exe Token: SeSystemProfilePrivilege 3496 msiexec.exe Token: SeSystemtimePrivilege 3496 msiexec.exe Token: SeProfSingleProcessPrivilege 3496 msiexec.exe Token: SeIncBasePriorityPrivilege 3496 msiexec.exe Token: SeCreatePagefilePrivilege 3496 msiexec.exe Token: SeCreatePermanentPrivilege 3496 msiexec.exe Token: SeBackupPrivilege 3496 msiexec.exe Token: SeRestorePrivilege 3496 msiexec.exe Token: SeShutdownPrivilege 3496 msiexec.exe Token: SeDebugPrivilege 3496 msiexec.exe Token: SeAuditPrivilege 3496 msiexec.exe Token: SeSystemEnvironmentPrivilege 3496 msiexec.exe Token: SeChangeNotifyPrivilege 3496 msiexec.exe Token: SeRemoteShutdownPrivilege 3496 msiexec.exe Token: SeUndockPrivilege 3496 msiexec.exe Token: SeSyncAgentPrivilege 3496 msiexec.exe Token: SeEnableDelegationPrivilege 3496 msiexec.exe Token: SeManageVolumePrivilege 3496 msiexec.exe Token: SeImpersonatePrivilege 3496 msiexec.exe Token: SeCreateGlobalPrivilege 3496 msiexec.exe Token: SeBackupPrivilege 3864 vssvc.exe Token: SeRestorePrivilege 3864 vssvc.exe Token: SeAuditPrivilege 3864 vssvc.exe Token: SeBackupPrivilege 4912 msiexec.exe Token: SeRestorePrivilege 4912 msiexec.exe Token: SeRestorePrivilege 4912 msiexec.exe Token: SeTakeOwnershipPrivilege 4912 msiexec.exe Token: SeRestorePrivilege 4912 msiexec.exe Token: SeTakeOwnershipPrivilege 4912 msiexec.exe Token: SeRestorePrivilege 4912 msiexec.exe Token: SeTakeOwnershipPrivilege 4912 msiexec.exe Token: SeRestorePrivilege 4912 msiexec.exe Token: SeTakeOwnershipPrivilege 4912 msiexec.exe Token: SeRestorePrivilege 4912 msiexec.exe Token: SeTakeOwnershipPrivilege 4912 msiexec.exe Token: SeRestorePrivilege 4912 msiexec.exe Token: SeTakeOwnershipPrivilege 4912 msiexec.exe Token: SeRestorePrivilege 4912 msiexec.exe Token: SeTakeOwnershipPrivilege 4912 msiexec.exe Token: SeRestorePrivilege 4912 msiexec.exe Token: SeTakeOwnershipPrivilege 4912 msiexec.exe Token: SeRestorePrivilege 4912 msiexec.exe Token: SeTakeOwnershipPrivilege 4912 msiexec.exe Token: SeRestorePrivilege 4912 msiexec.exe Token: SeTakeOwnershipPrivilege 4912 msiexec.exe Token: SeRestorePrivilege 4912 msiexec.exe Token: SeTakeOwnershipPrivilege 4912 msiexec.exe Token: SeRestorePrivilege 4912 msiexec.exe Token: SeTakeOwnershipPrivilege 4912 msiexec.exe Token: SeRestorePrivilege 4912 msiexec.exe Token: SeTakeOwnershipPrivilege 4912 msiexec.exe Token: SeRestorePrivilege 4912 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 3496 msiexec.exe 3496 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 4912 wrote to memory of 4520 4912 msiexec.exe srtasks.exe PID 4912 wrote to memory of 4520 4912 msiexec.exe srtasks.exe PID 4912 wrote to memory of 2868 4912 msiexec.exe MsiExec.exe PID 4912 wrote to memory of 2868 4912 msiexec.exe MsiExec.exe PID 2868 wrote to memory of 4556 2868 MsiExec.exe rundll32.exe PID 2868 wrote to memory of 4556 2868 MsiExec.exe rundll32.exe PID 4556 wrote to memory of 4820 4556 rundll32.exe rundll32.exe PID 4556 wrote to memory of 4820 4556 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_03-01-2023_08-37-05.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 7A22E8A885D0D7CC658518F72A7D517B2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSIA038.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240623859 2 test.cs!X1X3X2.Y1yY.Z3z1Z3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSI55d858b2.msi",init4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MSI55d858b2.msiFilesize
323KB
MD5460cf4e821b22e1b3df659a01ee8fb0a
SHA11c5ea14ff5f7be7e3d3a62a0d531fc7d0d0a3bf8
SHA256338c4e044fcd4f8b7429558c283eb13769e0e6afcbf14e9c6bc64d5cc9e3d79a
SHA512c7bf8859feb207a1178e82402c82c8e4dbaaeae1de4c5220f22a874a8d01fa1944ad91c1d3157bc3f6c1b964a8ac16ab8d00c65fbfdc5d67c7b390afcbe3aec4
-
C:\Users\Admin\AppData\Local\MSI55d858b2.msiFilesize
323KB
MD5460cf4e821b22e1b3df659a01ee8fb0a
SHA11c5ea14ff5f7be7e3d3a62a0d531fc7d0d0a3bf8
SHA256338c4e044fcd4f8b7429558c283eb13769e0e6afcbf14e9c6bc64d5cc9e3d79a
SHA512c7bf8859feb207a1178e82402c82c8e4dbaaeae1de4c5220f22a874a8d01fa1944ad91c1d3157bc3f6c1b964a8ac16ab8d00c65fbfdc5d67c7b390afcbe3aec4
-
C:\Windows\Installer\MSIA038.tmpFilesize
414KB
MD51ba38de0f34cc60b881c2e4cc37ea294
SHA1e0d60e2843bbfa08cbf825f1c638cd67c7a2c5c0
SHA256092ee0c919a6c8266113102ff4391363bb0ef9e067c21ee2d33d9d83d029527d
SHA512ca9a9c8e44d1deda0b0f3ac10163b50e1c5e84db12acb1f7fca2305a6ebd21930e769f9a2f0a8261eeebdcb4276f3083466bb87841cc063cbaf5cebbabd51314
-
C:\Windows\Installer\MSIA038.tmpFilesize
414KB
MD51ba38de0f34cc60b881c2e4cc37ea294
SHA1e0d60e2843bbfa08cbf825f1c638cd67c7a2c5c0
SHA256092ee0c919a6c8266113102ff4391363bb0ef9e067c21ee2d33d9d83d029527d
SHA512ca9a9c8e44d1deda0b0f3ac10163b50e1c5e84db12acb1f7fca2305a6ebd21930e769f9a2f0a8261eeebdcb4276f3083466bb87841cc063cbaf5cebbabd51314
-
C:\Windows\Installer\MSIA038.tmpFilesize
414KB
MD51ba38de0f34cc60b881c2e4cc37ea294
SHA1e0d60e2843bbfa08cbf825f1c638cd67c7a2c5c0
SHA256092ee0c919a6c8266113102ff4391363bb0ef9e067c21ee2d33d9d83d029527d
SHA512ca9a9c8e44d1deda0b0f3ac10163b50e1c5e84db12acb1f7fca2305a6ebd21930e769f9a2f0a8261eeebdcb4276f3083466bb87841cc063cbaf5cebbabd51314
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5588c8eb76535b105d1b43123438a34e9
SHA14be70d7de1930506b15a4943c932b3df8e99b25d
SHA2561a82cac04c5f2ce20c7489d7208ae86e753a1480cbc6205684f3b8a0bb9fd4f6
SHA512b019d0d0e45208b12acd5f6ab77b3d06242d17a03ee6dfcd2046719326978d5d2f8e28fa4e4b96fb06dc649e1466e52f47c49daa29612e3f39e3f7852a5bbe55
-
\??\Volume{5d2b4a7c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f251147c-fd06-4ca3-a594-8a80013a963f}_OnDiskSnapshotPropFilesize
5KB
MD5a9977872d97636310914b4c6038ca7e2
SHA1fd23481650168ae9f0f36725ab071da1492b56d8
SHA256cbf18d44e0dfec3c0b3a18437f1ae9d72fa6b750a867b1e2f133c902c9a70662
SHA5121682bb4385e48e36286e7ab486b5c8134f7d8e8cdb351479b2eb2a7d6d9d267a152653831d1e69b1a8b5fdbab13f65b57aaaaa0fe4d6521191f2c4af2a8351fe
-
memory/2868-133-0x0000000000000000-mapping.dmp
-
memory/4520-132-0x0000000000000000-mapping.dmp
-
memory/4556-138-0x000001F5D41E0000-0x000001F5D420E000-memory.dmpFilesize
184KB
-
memory/4556-141-0x00007FFE83F40000-0x00007FFE84A01000-memory.dmpFilesize
10.8MB
-
memory/4556-140-0x000001F5D5B40000-0x000001F5D5BB0000-memory.dmpFilesize
448KB
-
memory/4556-147-0x00007FFE83F40000-0x00007FFE84A01000-memory.dmpFilesize
10.8MB
-
memory/4556-139-0x000001F5D41B0000-0x000001F5D41BA000-memory.dmpFilesize
40KB
-
memory/4556-136-0x0000000000000000-mapping.dmp
-
memory/4820-142-0x0000000000000000-mapping.dmp
-
memory/4820-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB