Analysis
-
max time kernel
128s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2023 09:54
Static task
static1
Behavioral task
behavioral1
Sample
86bcd250b70e261d29a20538ffaf9ea3b27b510f02721cc6853bda227deeb118.msi
Resource
win7-20230831-en
General
-
Target
86bcd250b70e261d29a20538ffaf9ea3b27b510f02721cc6853bda227deeb118.msi
-
Size
988KB
-
MD5
32ee17c4caae3570e290c8a653aa380f
-
SHA1
3b6ffb4fe23aa45ab536486f1aa11e02fac520b3
-
SHA256
86bcd250b70e261d29a20538ffaf9ea3b27b510f02721cc6853bda227deeb118
-
SHA512
059e383c954f97993bfbef9f161fe8548d52b9814b0f481d245209f9e7388c2a5aeb38b404353279dec892d20f64b96407ce37b46cf0d2362cc78a4b4482d530
-
SSDEEP
12288:dBlIPDf7JnfcMwbNlquDsGnTFJT+XXW12MJkuTTBZZO2LKHL0vK++KA20n:dBlIGM8ou4GrToG12BoDZoL07+KAD
Malware Config
Extracted
icedid
879983162
aptekoagraliy.com
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exepid process 4776 MsiExec.exe 2796 rundll32.exe 2708 rundll32.exe -
Blocklisted process makes network request 4 IoCs
Processes:
msiexec.exeflow pid process 5 4688 msiexec.exe 9 4688 msiexec.exe 11 4688 msiexec.exe 14 4688 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exerundll32.exedescription ioc process File created C:\Windows\Installer\e585a7f.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} msiexec.exe File opened for modification C:\Windows\Installer\MSI5D10.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI5D10.tmp-\test.cs.dll rundll32.exe File opened for modification C:\Windows\Installer\e585a7f.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI5C44.tmp msiexec.exe File created C:\Windows\Installer\e585a81.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5D10.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI5D10.tmp-\WixSharp.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI5D10.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fc6bda6a7e0913030000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fc6bda6a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fc6bda6a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfc6bda6a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fc6bda6a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msiexec.exerundll32.exepid process 4104 msiexec.exe 4104 msiexec.exe 2708 rundll32.exe 2708 rundll32.exe 2708 rundll32.exe 2708 rundll32.exe 2708 rundll32.exe 2708 rundll32.exe 2708 rundll32.exe 2708 rundll32.exe 3304 3304 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 2708 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4688 msiexec.exe Token: SeIncreaseQuotaPrivilege 4688 msiexec.exe Token: SeSecurityPrivilege 4104 msiexec.exe Token: SeCreateTokenPrivilege 4688 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4688 msiexec.exe Token: SeLockMemoryPrivilege 4688 msiexec.exe Token: SeIncreaseQuotaPrivilege 4688 msiexec.exe Token: SeMachineAccountPrivilege 4688 msiexec.exe Token: SeTcbPrivilege 4688 msiexec.exe Token: SeSecurityPrivilege 4688 msiexec.exe Token: SeTakeOwnershipPrivilege 4688 msiexec.exe Token: SeLoadDriverPrivilege 4688 msiexec.exe Token: SeSystemProfilePrivilege 4688 msiexec.exe Token: SeSystemtimePrivilege 4688 msiexec.exe Token: SeProfSingleProcessPrivilege 4688 msiexec.exe Token: SeIncBasePriorityPrivilege 4688 msiexec.exe Token: SeCreatePagefilePrivilege 4688 msiexec.exe Token: SeCreatePermanentPrivilege 4688 msiexec.exe Token: SeBackupPrivilege 4688 msiexec.exe Token: SeRestorePrivilege 4688 msiexec.exe Token: SeShutdownPrivilege 4688 msiexec.exe Token: SeDebugPrivilege 4688 msiexec.exe Token: SeAuditPrivilege 4688 msiexec.exe Token: SeSystemEnvironmentPrivilege 4688 msiexec.exe Token: SeChangeNotifyPrivilege 4688 msiexec.exe Token: SeRemoteShutdownPrivilege 4688 msiexec.exe Token: SeUndockPrivilege 4688 msiexec.exe Token: SeSyncAgentPrivilege 4688 msiexec.exe Token: SeEnableDelegationPrivilege 4688 msiexec.exe Token: SeManageVolumePrivilege 4688 msiexec.exe Token: SeImpersonatePrivilege 4688 msiexec.exe Token: SeCreateGlobalPrivilege 4688 msiexec.exe Token: SeBackupPrivilege 4780 vssvc.exe Token: SeRestorePrivilege 4780 vssvc.exe Token: SeAuditPrivilege 4780 vssvc.exe Token: SeBackupPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe Token: SeTakeOwnershipPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe Token: SeTakeOwnershipPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe Token: SeTakeOwnershipPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe Token: SeTakeOwnershipPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe Token: SeTakeOwnershipPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe Token: SeTakeOwnershipPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe Token: SeTakeOwnershipPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe Token: SeTakeOwnershipPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe Token: SeTakeOwnershipPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe Token: SeTakeOwnershipPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe Token: SeTakeOwnershipPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe Token: SeTakeOwnershipPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe Token: SeTakeOwnershipPrivilege 4104 msiexec.exe Token: SeRestorePrivilege 4104 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4688 msiexec.exe 4688 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exedescription pid process target process PID 4104 wrote to memory of 4984 4104 msiexec.exe srtasks.exe PID 4104 wrote to memory of 4984 4104 msiexec.exe srtasks.exe PID 4104 wrote to memory of 4776 4104 msiexec.exe MsiExec.exe PID 4104 wrote to memory of 4776 4104 msiexec.exe MsiExec.exe PID 4776 wrote to memory of 2796 4776 MsiExec.exe rundll32.exe PID 4776 wrote to memory of 2796 4776 MsiExec.exe rundll32.exe PID 2796 wrote to memory of 2708 2796 rundll32.exe rundll32.exe PID 2796 wrote to memory of 2708 2796 rundll32.exe rundll32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\86bcd250b70e261d29a20538ffaf9ea3b27b510f02721cc6853bda227deeb118.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4688
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4984
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 1D1E7BCE85AA5622CE4119D5814B63462⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Windows\Installer\MSI5D10.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240672062 2 test.cs!X1X3X2.Y1yY.Z3z1Z3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSI6fea4fcc.msi",scab /k jeeps3294⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2708
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5b9a8bcf456153c0fc5cc9600920425f2
SHA15dd9e87a9c9c777a8f015e0750b6e7fe8bc76bb5
SHA256610ed4bc5bc1f887e45f3c76b0ee487cb0df6bb052b09cf6914e0f1504ddb90c
SHA512db14ab8bcf10aecc540ae7a21dc43c89d401d0ba2d909c5275b0092eed7f57a320ed97574c8f7e78b6d4cb4e7748ad67ac219f09154ed6049233689001dba48e
-
Filesize
40KB
MD5c62f298eaa04686d0379e6cebe8d7328
SHA1f28c579242720bc38aa66196b63c4b518b11069d
SHA25689cf5e48a19925908f4433a15f6e7be08c62e58063ca65ea9dc3b1c1d4107a73
SHA512973bdf81459a7b6883435d47d064c18a7300005a74511ab63bda79687def6a0b5b10acc51b77ab3d77b9b09a7cd62a249bb58fe04467c074c33f95a6a66b4e74
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize727B
MD54e25d0434bd1f6cf35ee2c332255e571
SHA195a58811cbde3a2513d7fb8210e79545d45b8ab4
SHA2568bc805fff18eda3d49a908d49f5659c07231e5bf0f4508019624b38a385a90f9
SHA51209ef92c3f49ea82800bcd0b4fdcb6d7a5e559c9dad9bbdda139cbabef08907b89234026ece34f47e5626d5f56103220ac907ceda3c63b7eaab8933acbcf02e23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05
Filesize314B
MD561a12aadbcf2965ce83f62518a4d2435
SHA1d9452c26c46f8d10a482e28f7d76bc8d322a2692
SHA256eb57d137a353c6875ee2860305fd69494f100e13b51d1b36d0b3e40eb4a296f5
SHA512999eaeab32787860bf5415272d07a0b1111b6671cf3e97c4bfd22d6828093d71e73ef3e42a5d9e76cc8dc319131caf9c58e81f781ae1bb976070f7defdf6ccca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize478B
MD53434136869b1d155f86753e76027057b
SHA149392522577dc34687be46dc16be1ab8b33ebbd6
SHA256a64a0c72ee1ff78205186950fd6bb7ea254149509910915a0069f19f0f94e7d8
SHA512ce8343856bbcadb13b7e1ca40aa3e2e5e6753c9936ad447c8932ed976a28fe9d0bd4c20ecad2dbe6ac97b3b3f770d1c7fabf267a43260cf9dd5e3f91f3dced7d
-
Filesize
529KB
MD5c00a7a0dc633b124eb26504cc7c89d60
SHA187e75c6f66d515a53e7a7690f8add5ed3b4e539c
SHA25656828f5666370fd228b33e3f81001d7cdeffdd7643d566bbb01f7a5b29728838
SHA51254add2802c7268c03297640b0440b1f59c867dddec5332e663fce65a3c3624564452187264491c14cdfd81c0aa3367646868cbc791dc168fa84cbb33ea980975
-
Filesize
529KB
MD5c00a7a0dc633b124eb26504cc7c89d60
SHA187e75c6f66d515a53e7a7690f8add5ed3b4e539c
SHA25656828f5666370fd228b33e3f81001d7cdeffdd7643d566bbb01f7a5b29728838
SHA51254add2802c7268c03297640b0440b1f59c867dddec5332e663fce65a3c3624564452187264491c14cdfd81c0aa3367646868cbc791dc168fa84cbb33ea980975
-
Filesize
408KB
MD5c7e405100714c4c686a256220e59f306
SHA1b67b2c517ecf29b2fbf17a32040d73a1362db884
SHA256471b54fd2b74ce73f41e4fe9ac6c459eba9d8d06c2448fe7097c58e5d8ea04fa
SHA512b7633fd54f60cb41a5a8ecd4b52dad3e767b6babfebb905af7c14f63a8f082b072d8d814defe23b46bdcdfb878b7dd52bd9634b448b59c8b870b69e7bd5a8832
-
Filesize
408KB
MD5c7e405100714c4c686a256220e59f306
SHA1b67b2c517ecf29b2fbf17a32040d73a1362db884
SHA256471b54fd2b74ce73f41e4fe9ac6c459eba9d8d06c2448fe7097c58e5d8ea04fa
SHA512b7633fd54f60cb41a5a8ecd4b52dad3e767b6babfebb905af7c14f63a8f082b072d8d814defe23b46bdcdfb878b7dd52bd9634b448b59c8b870b69e7bd5a8832
-
Filesize
408KB
MD5c7e405100714c4c686a256220e59f306
SHA1b67b2c517ecf29b2fbf17a32040d73a1362db884
SHA256471b54fd2b74ce73f41e4fe9ac6c459eba9d8d06c2448fe7097c58e5d8ea04fa
SHA512b7633fd54f60cb41a5a8ecd4b52dad3e767b6babfebb905af7c14f63a8f082b072d8d814defe23b46bdcdfb878b7dd52bd9634b448b59c8b870b69e7bd5a8832
-
Filesize
23.0MB
MD50a75b4532666bba2dac31ed9789175f2
SHA16b32add25ee9ab9359c8e7e0fd7143b071c76558
SHA256e4b3a0595b70ab95a35f6b32094b7a1aeae5c98c737516d745b491b571b9c769
SHA5124cec4ee873b80ce63fa411edce9482909756cef5b719890788364d6de76cbee7c262b396a56e8f6455c0c7d4419a516ba1c914066799eb080cf05f6e15a7314f
-
\??\Volume{6ada6bfc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{56c3621d-69fd-4b3f-8302-c362eafa4faa}_OnDiskSnapshotProp
Filesize5KB
MD5cb735ecf41ecfd16f02131ea466d431e
SHA126404683fdf11da244452ced847012775e6a6117
SHA25685fef17a672105d751eec97061ef0f5bb03fd2b373f38562b77a992e39243314
SHA51234e295b30d17c8924a9c7623e136fa2aa020102cf638170f2633e1ed4786a1621050e9ee58de99ddc47ce98e197dec59907864c1250f5a89197d9661e31fb53b