Analysis
-
max time kernel
258s -
max time network
276s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2023 06:31
Static task
static1
Behavioral task
behavioral1
Sample
build-065.msi
Resource
win7-20230831-en
General
-
Target
build-065.msi
-
Size
988KB
-
MD5
32ee17c4caae3570e290c8a653aa380f
-
SHA1
3b6ffb4fe23aa45ab536486f1aa11e02fac520b3
-
SHA256
86bcd250b70e261d29a20538ffaf9ea3b27b510f02721cc6853bda227deeb118
-
SHA512
059e383c954f97993bfbef9f161fe8548d52b9814b0f481d245209f9e7388c2a5aeb38b404353279dec892d20f64b96407ce37b46cf0d2362cc78a4b4482d530
-
SSDEEP
12288:dBlIPDf7JnfcMwbNlquDsGnTFJT+XXW12MJkuTTBZZO2LKHL0vK++KA20n:dBlIGM8ou4GrToG12BoDZoL07+KAD
Malware Config
Extracted
icedid
879983162
aptekoagraliy.com
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 492 MsiExec.exe 4064 rundll32.exe 4176 rundll32.exe -
Blocklisted process makes network request 4 IoCs
Processes:
msiexec.exeflow pid process 7 3776 msiexec.exe 8 3776 msiexec.exe 10 3776 msiexec.exe 15 3776 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSI3B4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI480.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\e5801a1.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI480.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI480.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI480.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\e5801a1.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e5801a3.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI480.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000cda81468adccd8050000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000cda814680000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900cda81468000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dcda81468000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000cda8146800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msiexec.exerundll32.exepid process 1436 msiexec.exe 1436 msiexec.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 4176 rundll32.exe 3280 3280 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 4176 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 3776 msiexec.exe Token: SeIncreaseQuotaPrivilege 3776 msiexec.exe Token: SeSecurityPrivilege 1436 msiexec.exe Token: SeCreateTokenPrivilege 3776 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3776 msiexec.exe Token: SeLockMemoryPrivilege 3776 msiexec.exe Token: SeIncreaseQuotaPrivilege 3776 msiexec.exe Token: SeMachineAccountPrivilege 3776 msiexec.exe Token: SeTcbPrivilege 3776 msiexec.exe Token: SeSecurityPrivilege 3776 msiexec.exe Token: SeTakeOwnershipPrivilege 3776 msiexec.exe Token: SeLoadDriverPrivilege 3776 msiexec.exe Token: SeSystemProfilePrivilege 3776 msiexec.exe Token: SeSystemtimePrivilege 3776 msiexec.exe Token: SeProfSingleProcessPrivilege 3776 msiexec.exe Token: SeIncBasePriorityPrivilege 3776 msiexec.exe Token: SeCreatePagefilePrivilege 3776 msiexec.exe Token: SeCreatePermanentPrivilege 3776 msiexec.exe Token: SeBackupPrivilege 3776 msiexec.exe Token: SeRestorePrivilege 3776 msiexec.exe Token: SeShutdownPrivilege 3776 msiexec.exe Token: SeDebugPrivilege 3776 msiexec.exe Token: SeAuditPrivilege 3776 msiexec.exe Token: SeSystemEnvironmentPrivilege 3776 msiexec.exe Token: SeChangeNotifyPrivilege 3776 msiexec.exe Token: SeRemoteShutdownPrivilege 3776 msiexec.exe Token: SeUndockPrivilege 3776 msiexec.exe Token: SeSyncAgentPrivilege 3776 msiexec.exe Token: SeEnableDelegationPrivilege 3776 msiexec.exe Token: SeManageVolumePrivilege 3776 msiexec.exe Token: SeImpersonatePrivilege 3776 msiexec.exe Token: SeCreateGlobalPrivilege 3776 msiexec.exe Token: SeBackupPrivilege 1896 vssvc.exe Token: SeRestorePrivilege 1896 vssvc.exe Token: SeAuditPrivilege 1896 vssvc.exe Token: SeBackupPrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeTakeOwnershipPrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeTakeOwnershipPrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeTakeOwnershipPrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeTakeOwnershipPrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeTakeOwnershipPrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeTakeOwnershipPrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeTakeOwnershipPrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeTakeOwnershipPrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeTakeOwnershipPrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeTakeOwnershipPrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeTakeOwnershipPrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeTakeOwnershipPrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe Token: SeTakeOwnershipPrivilege 1436 msiexec.exe Token: SeRestorePrivilege 1436 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 3776 msiexec.exe 3776 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 1436 wrote to memory of 3380 1436 msiexec.exe srtasks.exe PID 1436 wrote to memory of 3380 1436 msiexec.exe srtasks.exe PID 1436 wrote to memory of 492 1436 msiexec.exe MsiExec.exe PID 1436 wrote to memory of 492 1436 msiexec.exe MsiExec.exe PID 492 wrote to memory of 4064 492 MsiExec.exe rundll32.exe PID 492 wrote to memory of 4064 492 MsiExec.exe rundll32.exe PID 4064 wrote to memory of 4176 4064 rundll32.exe rundll32.exe PID 4064 wrote to memory of 4176 4064 rundll32.exe rundll32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-065.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3776
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3380
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 1022F77ED03CF9B4E6EC8AD4B41193AD2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI480.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240649468 2 test.cs!X1X3X2.Y1yY.Z3z1Z3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSI7129410a.msi",scab /k jeeps3294⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4176
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv do0e20iekE6OIcoP1tPrEA.01⤵PID:2004
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask1⤵PID:2180
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5c62f298eaa04686d0379e6cebe8d7328
SHA1f28c579242720bc38aa66196b63c4b518b11069d
SHA25689cf5e48a19925908f4433a15f6e7be08c62e58063ca65ea9dc3b1c1d4107a73
SHA512973bdf81459a7b6883435d47d064c18a7300005a74511ab63bda79687def6a0b5b10acc51b77ab3d77b9b09a7cd62a249bb58fe04467c074c33f95a6a66b4e74
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize727B
MD54e25d0434bd1f6cf35ee2c332255e571
SHA195a58811cbde3a2513d7fb8210e79545d45b8ab4
SHA2568bc805fff18eda3d49a908d49f5659c07231e5bf0f4508019624b38a385a90f9
SHA51209ef92c3f49ea82800bcd0b4fdcb6d7a5e559c9dad9bbdda139cbabef08907b89234026ece34f47e5626d5f56103220ac907ceda3c63b7eaab8933acbcf02e23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05
Filesize314B
MD5bbc2e43f834c7a0f1d02d7bdeac82e47
SHA182fddc3f784e7345a7058f6ce0bf7dc16f2c6e92
SHA25600b3e6f7957f24e67ebc85898d8cec8d5ed64cb7374c25b45f40fe48cdfca437
SHA51217eb7a17641fffa3d8f6bbdcc753704a41748d9aa0b46ac179dfa7f0c0461d8e27e062740658a07ef2525b6d01a80a4a65937a5d5537153433be11e64aaf5f7c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize478B
MD5e74fc52367d57289787263aa1117c325
SHA12ac9070710affaeaefaabf36c2e0e569ad0116ba
SHA2567270458a2dea22ce9b01dd11f6302df36b561c8736de593a990c493bf79672b8
SHA512781ca0a56bac889a2a9d78620c8cafa2adc3a431f3f0fe024394bd3590a3b44789207834f879987e813435e39f1f3c93a2eba38a029ebd9718376ee6c6549f9e
-
Filesize
529KB
MD5c00a7a0dc633b124eb26504cc7c89d60
SHA187e75c6f66d515a53e7a7690f8add5ed3b4e539c
SHA25656828f5666370fd228b33e3f81001d7cdeffdd7643d566bbb01f7a5b29728838
SHA51254add2802c7268c03297640b0440b1f59c867dddec5332e663fce65a3c3624564452187264491c14cdfd81c0aa3367646868cbc791dc168fa84cbb33ea980975
-
Filesize
529KB
MD5c00a7a0dc633b124eb26504cc7c89d60
SHA187e75c6f66d515a53e7a7690f8add5ed3b4e539c
SHA25656828f5666370fd228b33e3f81001d7cdeffdd7643d566bbb01f7a5b29728838
SHA51254add2802c7268c03297640b0440b1f59c867dddec5332e663fce65a3c3624564452187264491c14cdfd81c0aa3367646868cbc791dc168fa84cbb33ea980975
-
Filesize
408KB
MD5c7e405100714c4c686a256220e59f306
SHA1b67b2c517ecf29b2fbf17a32040d73a1362db884
SHA256471b54fd2b74ce73f41e4fe9ac6c459eba9d8d06c2448fe7097c58e5d8ea04fa
SHA512b7633fd54f60cb41a5a8ecd4b52dad3e767b6babfebb905af7c14f63a8f082b072d8d814defe23b46bdcdfb878b7dd52bd9634b448b59c8b870b69e7bd5a8832
-
Filesize
408KB
MD5c7e405100714c4c686a256220e59f306
SHA1b67b2c517ecf29b2fbf17a32040d73a1362db884
SHA256471b54fd2b74ce73f41e4fe9ac6c459eba9d8d06c2448fe7097c58e5d8ea04fa
SHA512b7633fd54f60cb41a5a8ecd4b52dad3e767b6babfebb905af7c14f63a8f082b072d8d814defe23b46bdcdfb878b7dd52bd9634b448b59c8b870b69e7bd5a8832
-
Filesize
408KB
MD5c7e405100714c4c686a256220e59f306
SHA1b67b2c517ecf29b2fbf17a32040d73a1362db884
SHA256471b54fd2b74ce73f41e4fe9ac6c459eba9d8d06c2448fe7097c58e5d8ea04fa
SHA512b7633fd54f60cb41a5a8ecd4b52dad3e767b6babfebb905af7c14f63a8f082b072d8d814defe23b46bdcdfb878b7dd52bd9634b448b59c8b870b69e7bd5a8832
-
Filesize
23.0MB
MD598f494225e39e58a0a839aec7b955725
SHA1a561988fd2b47d8f66887ef4df5c86e90c0c2080
SHA256610a76f40209f07e5566626285ccea58a69884d5a16906d2275411124797f5dd
SHA5123018967e4a8084150b86740e236366399df5096d7a728d7ddbca91c57092554ec33a40aee8936d240d4e15beb1aace4076904cc9f816a7efaabed0a4e3da802f
-
\??\Volume{6814a8cd-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{573857a9-a17d-44b2-b678-d666ac86ab17}_OnDiskSnapshotProp
Filesize5KB
MD54922c5c23b725ea0e6e6fd63d38afa25
SHA1de5798867b1e2a17252b776e61f59c8393b09244
SHA256f8c835b632ab212908c07b1c75944c841fcfd150e5ffa8750634480ab3acecc5
SHA512df96d425a4a9245daa101fcbda00245354f32ddbc7862b67f5f420e13c78472bb07f076be7f987caa1e58ed99576394029fc24538db33da0915e0fb95f3603d7