Malware Analysis Report

2024-10-18 23:50

Sample ID 231016-lxcvgadb9w
Target 86bcd250b70e261d29a20538ffaf9ea3b27b510f02721cc6853bda227deeb118
SHA256 86bcd250b70e261d29a20538ffaf9ea3b27b510f02721cc6853bda227deeb118
Tags
icedid 879983162 banker loader persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86bcd250b70e261d29a20538ffaf9ea3b27b510f02721cc6853bda227deeb118

Threat Level: Known bad

The file 86bcd250b70e261d29a20538ffaf9ea3b27b510f02721cc6853bda227deeb118 was found to be: Known bad.

Malicious Activity Summary

icedid 879983162 banker loader persistence trojan

IcedID, BokBot

Modifies Installed Components in the registry

Checks computer location settings

Loads dropped DLL

Enumerates connected drives

Blocklisted process makes network request

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 09:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 09:54

Reported

2023-10-16 09:58

Platform

win7-20230831-en

Max time kernel

150s

Max time network

187s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\86bcd250b70e261d29a20538ffaf9ea3b27b510f02721cc6853bda227deeb118.msi

Signatures

IcedID, BokBot

trojan banker icedid

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3BD7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI40F8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI40F8.tmp-\test.cs.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI40F8.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f781ac1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f781ac1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f781ac2.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI40F8.tmp-\WixSharp.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f781ac2.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f781ac4.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI40F8.tmp-\CustomAction.config C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\86bcd250b70e261d29a20538ffaf9ea3b27b510f02721cc6853bda227deeb118.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B4" "0000000000000060"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 893191D0B7A332DF1553DB76F7C4A52E

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI40F8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259539284 1 test.cs!X1X3X2.Y1yY.Z3z1Z

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSI24614286.msi",scab /k jeeps329

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x18c

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ssl.com udp
US 54.236.82.84:80 www.ssl.com tcp
US 8.8.8.8:53 aptekoagraliy.com udp
US 188.114.96.0:80 aptekoagraliy.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab4E12.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar549B.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a107fa01b835b6c2b0c42dc4bd11749
SHA1 426f26f207f0d6e09664730c1dfe1f475008fa11
SHA256 a375c2afdfd9272c0b1219c68125eced46748cf78ed0278d567d37e100178515
SHA512 70733ad99c17a6c1cf45a5316caa1a177db9b060b0c919b672918b6f8fec14b06c44a6a134bfa404cb9676f9ff8193ea80c151445b6e6e635565bb892e66e6c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8555326CC9661C9937DC5053B6C38763

MD5 866912c070f1ecacacc2d5bca55ba129
SHA1 b7ab3308d1ea4477ba1480125a6fbda936490cbb
SHA256 85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69
SHA512 f91e855e0346ac8c3379129154e01488bb22cff7f6a6df2a80f1671e43c5df8acae36fdf5ee0eb2320f287a681a326b6f1df36e8e37aa5597c4797dd6b43b7cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8555326CC9661C9937DC5053B6C38763

MD5 26efdfc46b24c771e2172c6d80ee13c5
SHA1 9ec1b291045cc351fd1b8897c0039893d659698a
SHA256 c172949d9c510822f88d44e0154a24fa3e02ca04377eac24c01a83d211cc4a16
SHA512 35da5360ea050a1d1bc674fe0c4b0e1fcbc5d7f795896db11837846bf5cd694620060d4e0cc260ac79e625376814f59ac4f2a352df973fb4d5eb23dc0b98d2f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07298EE8EBA9732300AE62BDCA6B6898

MD5 e11e31581aae545302f6176a117b4d95
SHA1 743af0529bd032a0f44a83cdd4baa97b7c2ec49a
SHA256 2e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c
SHA512 c63aba6ca79c60a92b3bd26d784a5436e45a626022958bf6c194afc380c7bfb01fadf0b772513bbdbd7f1bb73691b0edb2f60b2f235ec9e0b81c427e04fbe451

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07298EE8EBA9732300AE62BDCA6B6898

MD5 2b246dab4f5b784a39eac6b09f410d29
SHA1 dd979f4360b3f4500fd53b6ef7b8259779895baf
SHA256 0ba2282b7c161e668576c682fad41a2f9e2978358353113eed30e17909e4e8b4
SHA512 e1f5bc06630fada65691e57434f493bca2e8a589317acb3a9d6f6c527a97c7cb06376eb7eb5db76cd4adc5e52336df194a3f43a71725d56cfe3cde60df6e2e7c

C:\Config.Msi\f781ac3.rbs

MD5 d626003f454efc687b270c22859762ca
SHA1 3d7ef01a6e928489f7575515d5c802554159e045
SHA256 600b9092709184d88a0c92a8d66f4819b1c973e69086a808afed8f88f73c7059
SHA512 25b78e907514d3b43d06d620cde0d4af62a26e254c675d6e2e78c22c07b877bb79f7b9d62da6c8e3de7b7c7c7bb349a246ebd0ad5dcfc9abc19fe500bf0c38d9

C:\Windows\Installer\MSI40F8.tmp

MD5 c7e405100714c4c686a256220e59f306
SHA1 b67b2c517ecf29b2fbf17a32040d73a1362db884
SHA256 471b54fd2b74ce73f41e4fe9ac6c459eba9d8d06c2448fe7097c58e5d8ea04fa
SHA512 b7633fd54f60cb41a5a8ecd4b52dad3e767b6babfebb905af7c14f63a8f082b072d8d814defe23b46bdcdfb878b7dd52bd9634b448b59c8b870b69e7bd5a8832

\Windows\Installer\MSI40F8.tmp

MD5 c7e405100714c4c686a256220e59f306
SHA1 b67b2c517ecf29b2fbf17a32040d73a1362db884
SHA256 471b54fd2b74ce73f41e4fe9ac6c459eba9d8d06c2448fe7097c58e5d8ea04fa
SHA512 b7633fd54f60cb41a5a8ecd4b52dad3e767b6babfebb905af7c14f63a8f082b072d8d814defe23b46bdcdfb878b7dd52bd9634b448b59c8b870b69e7bd5a8832

\Windows\Installer\MSI40F8.tmp

MD5 c7e405100714c4c686a256220e59f306
SHA1 b67b2c517ecf29b2fbf17a32040d73a1362db884
SHA256 471b54fd2b74ce73f41e4fe9ac6c459eba9d8d06c2448fe7097c58e5d8ea04fa
SHA512 b7633fd54f60cb41a5a8ecd4b52dad3e767b6babfebb905af7c14f63a8f082b072d8d814defe23b46bdcdfb878b7dd52bd9634b448b59c8b870b69e7bd5a8832

memory/2468-286-0x0000000000470000-0x000000000049E000-memory.dmp

memory/2468-287-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

memory/2468-288-0x000000001AAD0000-0x000000001AB50000-memory.dmp

memory/2468-296-0x000000001AAD0000-0x000000001AB50000-memory.dmp

memory/2468-289-0x000000001AAD0000-0x000000001AB50000-memory.dmp

memory/2468-297-0x000000001AAD0000-0x000000001AB50000-memory.dmp

memory/2468-299-0x0000000001BF0000-0x0000000001BFA000-memory.dmp

memory/2468-301-0x0000000002240000-0x00000000022B0000-memory.dmp

C:\Users\Admin\AppData\Local\MSI24614286.msi

MD5 c00a7a0dc633b124eb26504cc7c89d60
SHA1 87e75c6f66d515a53e7a7690f8add5ed3b4e539c
SHA256 56828f5666370fd228b33e3f81001d7cdeffdd7643d566bbb01f7a5b29728838
SHA512 54add2802c7268c03297640b0440b1f59c867dddec5332e663fce65a3c3624564452187264491c14cdfd81c0aa3367646868cbc791dc168fa84cbb33ea980975

\Users\Admin\AppData\Local\MSI24614286.msi

MD5 c00a7a0dc633b124eb26504cc7c89d60
SHA1 87e75c6f66d515a53e7a7690f8add5ed3b4e539c
SHA256 56828f5666370fd228b33e3f81001d7cdeffdd7643d566bbb01f7a5b29728838
SHA512 54add2802c7268c03297640b0440b1f59c867dddec5332e663fce65a3c3624564452187264491c14cdfd81c0aa3367646868cbc791dc168fa84cbb33ea980975

memory/2468-313-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

memory/1568-317-0x0000000000190000-0x0000000000194000-memory.dmp

memory/1264-319-0x00000000778C2000-0x00000000778C3000-memory.dmp

memory/1264-318-0x0000000180000000-0x0000000180009000-memory.dmp

memory/1264-326-0x0000000180000000-0x0000000180009000-memory.dmp

memory/1264-327-0x00000000021D0000-0x00000000021D1000-memory.dmp

memory/2180-328-0x00000000042A0000-0x00000000042A1000-memory.dmp

memory/2180-329-0x00000000042A0000-0x00000000042A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-16 09:54

Reported

2023-10-16 09:57

Platform

win10v2004-20230915-en

Max time kernel

128s

Max time network

134s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\86bcd250b70e261d29a20538ffaf9ea3b27b510f02721cc6853bda227deeb118.msi

Signatures

IcedID, BokBot

trojan banker icedid

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Windows\system32\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e585a7f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5D10.tmp-\CustomAction.config C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI5D10.tmp-\test.cs.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\e585a7f.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5C44.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585a81.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5D10.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5D10.tmp-\WixSharp.dll C:\Windows\system32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI5D10.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fc6bda6a7e0913030000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fc6bda6a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fc6bda6a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfc6bda6a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fc6bda6a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\86bcd250b70e261d29a20538ffaf9ea3b27b510f02721cc6853bda227deeb118.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 1D1E7BCE85AA5622CE4119D5814B6346

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI5D10.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240672062 2 test.cs!X1X3X2.Y1yY.Z3z1Z

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSI6fea4fcc.msi",scab /k jeeps329

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 www.ssl.com udp
US 54.174.96.153:80 www.ssl.com tcp
US 8.8.8.8:53 crls.ssl.com udp
US 18.239.36.85:80 crls.ssl.com tcp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 153.96.174.54.in-addr.arpa udp
US 8.8.8.8:53 135.223.24.100.in-addr.arpa udp
US 8.8.8.8:53 85.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 aptekoagraliy.com udp
US 188.114.96.0:80 aptekoagraliy.com tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05

MD5 c62f298eaa04686d0379e6cebe8d7328
SHA1 f28c579242720bc38aa66196b63c4b518b11069d
SHA256 89cf5e48a19925908f4433a15f6e7be08c62e58063ca65ea9dc3b1c1d4107a73
SHA512 973bdf81459a7b6883435d47d064c18a7300005a74511ab63bda79687def6a0b5b10acc51b77ab3d77b9b09a7cd62a249bb58fe04467c074c33f95a6a66b4e74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

MD5 3434136869b1d155f86753e76027057b
SHA1 49392522577dc34687be46dc16be1ab8b33ebbd6
SHA256 a64a0c72ee1ff78205186950fd6bb7ea254149509910915a0069f19f0f94e7d8
SHA512 ce8343856bbcadb13b7e1ca40aa3e2e5e6753c9936ad447c8932ed976a28fe9d0bd4c20ecad2dbe6ac97b3b3f770d1c7fabf267a43260cf9dd5e3f91f3dced7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05

MD5 61a12aadbcf2965ce83f62518a4d2435
SHA1 d9452c26c46f8d10a482e28f7d76bc8d322a2692
SHA256 eb57d137a353c6875ee2860305fd69494f100e13b51d1b36d0b3e40eb4a296f5
SHA512 999eaeab32787860bf5415272d07a0b1111b6671cf3e97c4bfd22d6828093d71e73ef3e42a5d9e76cc8dc319131caf9c58e81f781ae1bb976070f7defdf6ccca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

MD5 4e25d0434bd1f6cf35ee2c332255e571
SHA1 95a58811cbde3a2513d7fb8210e79545d45b8ab4
SHA256 8bc805fff18eda3d49a908d49f5659c07231e5bf0f4508019624b38a385a90f9
SHA512 09ef92c3f49ea82800bcd0b4fdcb6d7a5e559c9dad9bbdda139cbabef08907b89234026ece34f47e5626d5f56103220ac907ceda3c63b7eaab8933acbcf02e23

C:\Config.Msi\e585a80.rbs

MD5 b9a8bcf456153c0fc5cc9600920425f2
SHA1 5dd9e87a9c9c777a8f015e0750b6e7fe8bc76bb5
SHA256 610ed4bc5bc1f887e45f3c76b0ee487cb0df6bb052b09cf6914e0f1504ddb90c
SHA512 db14ab8bcf10aecc540ae7a21dc43c89d401d0ba2d909c5275b0092eed7f57a320ed97574c8f7e78b6d4cb4e7748ad67ac219f09154ed6049233689001dba48e

C:\Windows\Installer\MSI5D10.tmp

MD5 c7e405100714c4c686a256220e59f306
SHA1 b67b2c517ecf29b2fbf17a32040d73a1362db884
SHA256 471b54fd2b74ce73f41e4fe9ac6c459eba9d8d06c2448fe7097c58e5d8ea04fa
SHA512 b7633fd54f60cb41a5a8ecd4b52dad3e767b6babfebb905af7c14f63a8f082b072d8d814defe23b46bdcdfb878b7dd52bd9634b448b59c8b870b69e7bd5a8832

C:\Windows\Installer\MSI5D10.tmp

MD5 c7e405100714c4c686a256220e59f306
SHA1 b67b2c517ecf29b2fbf17a32040d73a1362db884
SHA256 471b54fd2b74ce73f41e4fe9ac6c459eba9d8d06c2448fe7097c58e5d8ea04fa
SHA512 b7633fd54f60cb41a5a8ecd4b52dad3e767b6babfebb905af7c14f63a8f082b072d8d814defe23b46bdcdfb878b7dd52bd9634b448b59c8b870b69e7bd5a8832

C:\Windows\Installer\MSI5D10.tmp

MD5 c7e405100714c4c686a256220e59f306
SHA1 b67b2c517ecf29b2fbf17a32040d73a1362db884
SHA256 471b54fd2b74ce73f41e4fe9ac6c459eba9d8d06c2448fe7097c58e5d8ea04fa
SHA512 b7633fd54f60cb41a5a8ecd4b52dad3e767b6babfebb905af7c14f63a8f082b072d8d814defe23b46bdcdfb878b7dd52bd9634b448b59c8b870b69e7bd5a8832

memory/2796-46-0x000001A859FD0000-0x000001A859FFE000-memory.dmp

memory/2796-48-0x000001A841B20000-0x000001A841B2A000-memory.dmp

memory/2796-50-0x000001A85A0E0000-0x000001A85A150000-memory.dmp

memory/2796-51-0x00007FFE44FF0000-0x00007FFE45AB1000-memory.dmp

memory/2796-52-0x000001A85A060000-0x000001A85A070000-memory.dmp

memory/2796-53-0x000001A85A060000-0x000001A85A070000-memory.dmp

memory/2796-54-0x000001A85A060000-0x000001A85A070000-memory.dmp

memory/2796-55-0x000001A85A060000-0x000001A85A070000-memory.dmp

C:\Users\Admin\AppData\Local\MSI6fea4fcc.msi

MD5 c00a7a0dc633b124eb26504cc7c89d60
SHA1 87e75c6f66d515a53e7a7690f8add5ed3b4e539c
SHA256 56828f5666370fd228b33e3f81001d7cdeffdd7643d566bbb01f7a5b29728838
SHA512 54add2802c7268c03297640b0440b1f59c867dddec5332e663fce65a3c3624564452187264491c14cdfd81c0aa3367646868cbc791dc168fa84cbb33ea980975

C:\Users\Admin\AppData\Local\MSI6fea4fcc.msi

MD5 c00a7a0dc633b124eb26504cc7c89d60
SHA1 87e75c6f66d515a53e7a7690f8add5ed3b4e539c
SHA256 56828f5666370fd228b33e3f81001d7cdeffdd7643d566bbb01f7a5b29728838
SHA512 54add2802c7268c03297640b0440b1f59c867dddec5332e663fce65a3c3624564452187264491c14cdfd81c0aa3367646868cbc791dc168fa84cbb33ea980975

memory/2796-68-0x00007FFE44FF0000-0x00007FFE45AB1000-memory.dmp

memory/2708-70-0x0000020A47570000-0x0000020A47574000-memory.dmp

memory/3304-73-0x00007FFE63D81000-0x00007FFE63D82000-memory.dmp

memory/3304-74-0x0000000180000000-0x0000000180009000-memory.dmp

memory/3304-81-0x0000000180000000-0x0000000180009000-memory.dmp

\??\Volume{6ada6bfc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{56c3621d-69fd-4b3f-8302-c362eafa4faa}_OnDiskSnapshotProp

MD5 cb735ecf41ecfd16f02131ea466d431e
SHA1 26404683fdf11da244452ced847012775e6a6117
SHA256 85fef17a672105d751eec97061ef0f5bb03fd2b373f38562b77a992e39243314
SHA512 34e295b30d17c8924a9c7623e136fa2aa020102cf638170f2633e1ed4786a1621050e9ee58de99ddc47ce98e197dec59907864c1250f5a89197d9661e31fb53b

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 0a75b4532666bba2dac31ed9789175f2
SHA1 6b32add25ee9ab9359c8e7e0fd7143b071c76558
SHA256 e4b3a0595b70ab95a35f6b32094b7a1aeae5c98c737516d745b491b571b9c769
SHA512 4cec4ee873b80ce63fa411edce9482909756cef5b719890788364d6de76cbee7c262b396a56e8f6455c0c7d4419a516ba1c914066799eb080cf05f6e15a7314f

memory/3304-84-0x00007FFE63D81000-0x00007FFE63D82000-memory.dmp