| File name: | build-123.msi |
| Full analysis: | https://app.any.run/tasks/df3198da-3210-466d-a9c1-764889978fa8 |
| Verdict: | Malicious activity |
| Threats: | IcedID is a banking trojan-type malware which allows attackers to utilize it to steal banking credentials of the victims. IcedID aka BokBot mainly targets businesses and steals payment information, it also acts as a loader and can deliver another viruses or download additional modules. |
| Analysis date: | November 01, 2023, 00:05:01 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {3BD7E60E-9127-4830-A094-8CF2F04E5002}, Number of Words: 10, Subject: nbytgvrfc, Author: yhbtgvrfced, Name of Creating Application: nbytgvrfc (Evaluation Installer), Template: ;1033, Comments: njhbtgvrfcedx (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Thu Oct 26 16:48:11 2023, Number of Pages: 200 |
| MD5: | 44BFCB59A6D4B4FF4B02B4C765D5F488 |
| SHA1: | 5FD55488D2A726F0CAF801E78B29253FC3D61BBA |
| SHA256: | C9C4ED0902DF031F72F3AE176895A2B43DC2737F7CE5AB5017134AEC0C21DFAD |
| SSDEEP: | 98304:99IHoworhFUGWLi9sq6TYNMi5dhlJ3lx8BgQtAuhgYInUr4ntGBe+QOMSUkOeqUR:hoBu0 |
MALICIOUS
Drops the executable file immediately after the start
- msiexec.exe (PID: 5684)
SUSPICIOUS
Executes as Windows Service
- VSSVC.exe (PID: 748)
Reads the date of Windows installation
- MSIC4A7.tmp (PID: 7600)
Process drops legitimate windows executable
- msiexec.exe (PID: 5684)
Uses RUNDLL32.EXE to load library
- rundll32.exe (PID: 7644)
INFO
Checks supported languages
- msiexec.exe (PID: 5684)
- MSIC4A7.tmp (PID: 7600)
- msiexec.exe (PID: 7496)
Reads the computer name
- msiexec.exe (PID: 5684)
- MSIC4A7.tmp (PID: 7600)
- msiexec.exe (PID: 7496)
Starts application with an unusual extension
- msiexec.exe (PID: 5684)
Process checks computer location settings
- MSIC4A7.tmp (PID: 7600)
Reads Environment values
- msiexec.exe (PID: 7496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (81.9) |
|---|---|---|
| .mst | | | Windows SDK Setup Transform Script (9.2) |
| .msp | | | Windows Installer Patch (7.6) |
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| LastPrinted: | 2009:12:11 11:47:44 |
|---|---|
| ModifyDate: | 2020:09:18 14:06:51 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| RevisionNumber: | {3BD7E60E-9127-4830-A094-8CF2F04E5002} |
| Words: | 10 |
| Subject: | nbytgvrfc |
| Author: | yhbtgvrfced |
| LastModifiedBy: | - |
| Software: | nbytgvrfc (Evaluation Installer) |
| Template: | ;1033 |
| Comments: | njhbtgvrfcedx (Evaluation Installer) |
| Title: | Installation Database |
| Keywords: | Installer, MSI, Database |
| CreateDate: | 2023:10:26 15:48:11 |
| Pages: | 200 |
Total processes
187
Monitored processes
10
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 748 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3172 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Downloads\build-123.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4116 | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneDriveFile Co-Authoring Executable Exit code: 0 Version: 19.043.0304.0013 Modules
| |||||||||||||||
| 5684 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7432 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7444 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7496 | C:\Windows\syswow64\MsiExec.exe -Embedding E705B4599BC3D971FB5ECAA18169B459 | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7600 | "C:\WINDOWS\Installer\MSIC4A7.tmp" /DontWait /HideWindow C:\Windows\System32\rundll32.exe C:\ProgramData\btgvvtr\0loader_p1_dll_64_n1_x64_inf.dll scab /k roluxe752 | C:\Windows\Installer\MSIC4A7.tmp | — | msiexec.exe | |||||||||||
User: admin Company: Caphyon LTD Integrity Level: MEDIUM Description: File that launches another file Exit code: 0 Version: 21.0.1.0 Modules
| |||||||||||||||
| 7644 | "C:\Windows\System32\rundll32.exe" C:\ProgramData\btgvvtr\0loader_p1_dll_64_n1_x64_inf.dll scab /k roluxe752 | C:\Windows\SysWOW64\rundll32.exe | — | MSIC4A7.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.746 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7664 | "C:\Windows\System32\rundll32.exe" C:\ProgramData\btgvvtr\0loader_p1_dll_64_n1_x64_inf.dll scab /k roluxe752 | C:\Windows\System32\rundll32.exe | — | rundll32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
2 715
Read events
2 647
Write events
50
Delete events
18
Modification events
| (PID) Process: | (5684) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4800000000000000B794B581A43CD9010C0A0000180C0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5684) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 4800000000000000B794B581A43CD9010C0A0000180C0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5684) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 48000000000000003607CB81A43CD9010C0A0000180C0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5684) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 48000000000000004369CD81A43CD9010C0A0000180C0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5684) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 48000000000000004369CD81A43CD9010C0A0000180C0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5684) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4800000000000000D1E13F75A33CD901A0020000CC040000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5684) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 2 | |||
| (PID) Process: | (5684) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 4800000000000000F4444275A33CD901A0020000CC040000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (748) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (748) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Description |
| Operation: | write | Name: | FirmwareModified |
Value: 1 | |||
Executable files
9
Suspicious files
20
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5684 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 5684 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{ebea3ddb-93be-4f0a-a49b-0c3ac01ae4b7}_OnDiskSnapshotProp | binary | |
MD5:9D7C7DA44DB4D1C4E2CB280EB8A06FA2 | SHA256:2E44AC18DC6764D566523713E8C555537380931C74FE2C28C6932086067D4782 | |||
| 5684 | msiexec.exe | C:\WINDOWS\Installer\MSIC2FB.tmp | executable | |
MD5:89F70B588A48793450DD603B6CD4096F | SHA256:066C52ED8EBF63A33AB8290B7C58D0C13F79C14FAA8BF12B1B41F643D3EBE281 | |||
| 5684 | msiexec.exe | C:\WINDOWS\Installer\15c2ad.msi | executable | |
MD5:44BFCB59A6D4B4FF4B02B4C765D5F488 | SHA256:C9C4ED0902DF031F72F3AE176895A2B43DC2737F7CE5AB5017134AEC0C21DFAD | |||
| 5684 | msiexec.exe | C:\WINDOWS\Installer\MSIC4A7.tmp | executable | |
MD5:0C8696262850937C0C34DA3CD24B2BB0 | SHA256:06A80941EF4D514FC6845F0A82CDAE80D5DC23BECF53797E45656473AA1E98DC | |||
| 5684 | msiexec.exe | C:\WINDOWS\TEMP\~DFCD33DC93B3F9C437.TMP | binary | |
MD5:BF619EAC0CDF3F68D496EA9344137E8B | SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 | |||
| 5684 | msiexec.exe | C:\WINDOWS\Installer\MSIC477.tmp | binary | |
MD5:629A1E442FE87C55C5A75D74A7C0B176 | SHA256:C82E6CAA0DFFE54DC87AD12640ECA5FA66418D91B09081971FA619D179896C0B | |||
| 5684 | msiexec.exe | C:\WINDOWS\TEMP\~DFB879B7FFEECE282D.TMP | binary | |
MD5:52BBF13FB90F54A1070CBBA341705BEA | SHA256:E3A8F6E852F558C9435C0A6127D52EEA9CD0BA18AB0E12DD5AA56E63E384A57A | |||
| 5684 | msiexec.exe | C:\ProgramData\btgvvtr\0loader_p1_dll_64_n1_x64_inf.dll | executable | |
MD5:380DA2112494D38CB7753E500A7833BD | SHA256:2ED82C45CA01AFB84DB23D41F50EECC726A804F4F8B2F5E9C6A561003643194D | |||
| 5684 | msiexec.exe | C:\WINDOWS\Installer\inprogressinstallinfo.ipi | binary | |
MD5:52BBF13FB90F54A1070CBBA341705BEA | SHA256:E3A8F6E852F558C9435C0A6127D52EEA9CD0BA18AB0E12DD5AA56E63E384A57A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
81
TCP/UDP connections
62
DNS requests
25
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
7760 | svchost.exe | HEAD | 200 | 8.238.191.254:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1699005712&P2=404&P3=2&P4=P9SRuDfpv%2bIUwN%2fhO13Kp2vg3Wzz%2bsFyVcSxJWgQ%2fmPVJVjwbrHN3fVc2%2b2M1SpJbKzI%2fIG2%2flN1RNOa2NocTw%3d%3d | unknown | — | — | unknown |
3704 | svchost.exe | GET | 404 | 188.114.96.3:80 | http://grafielucho.com/ | unknown | html | 269 b | unknown |
6240 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D | unknown | binary | 471 b | unknown |
4112 | svchost.exe | GET | 404 | 188.114.96.3:80 | http://grafielucho.com/ | unknown | html | 269 b | unknown |
7580 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | binary | 418 b | unknown |
7580 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | binary | 409 b | unknown |
1356 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | binary | 471 b | unknown |
8108 | WerFault.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | binary | 814 b | unknown |
8108 | WerFault.exe | GET | 200 | 2.21.20.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | binary | 1.11 Kb | unknown |
2980 | svchost.exe | GET | 200 | 23.212.210.158:80 | http://x1.c.lencr.org/ | unknown | der | 717 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
2836 | msedge.exe | 224.0.0.251:5353 | — | — | — | unknown |
5344 | svchost.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
2836 | msedge.exe | 239.255.255.250:1900 | — | — | — | unknown |
1356 | svchost.exe | 20.190.159.23:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
1356 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3792 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
3704 | svchost.exe | 188.114.96.3:80 | grafielucho.com | CLOUDFLARENET | NL | unknown |
4112 | svchost.exe | 188.114.96.3:80 | grafielucho.com | CLOUDFLARENET | NL | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
login.live.com |
| whitelisted |
grafielucho.com |
| unknown |
arc.msn.com |
| whitelisted |
umwatson.events.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3704 | svchost.exe | Malware Command and Control Activity Detected | ET MALWARE Win32/IcedID Requesting Encoded Binary M4 |
3704 | svchost.exe | A Network Trojan was detected | ET MALWARE Win32/IcedID Request Cookie |
4112 | svchost.exe | Malware Command and Control Activity Detected | ET MALWARE Win32/IcedID Requesting Encoded Binary M4 |
4112 | svchost.exe | A Network Trojan was detected | ET MALWARE Win32/IcedID Request Cookie |