| File name: | current_yet.msi |
| Full analysis: | https://app.any.run/tasks/1c76afdc-4eb0-4123-8102-f97104129b64 |
| Verdict: | Malicious activity |
| Threats: | IcedID is a banking trojan-type malware which allows attackers to utilize it to steal banking credentials of the victims. IcedID aka BokBot mainly targets businesses and steals payment information, it also acts as a loader and can deliver another viruses or download additional modules. |
| Analysis date: | December 05, 2022, 22:44:13 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MyProduct, Author: User, Keywords: Installer, Comments: This installer database contains the logic and data required to install MyProduct., Template: x64;1033, Revision Number: {6F330B47-2577-43AD-9095-1861BA25889B}, Create Time/Date: Mon Dec 5 16:18:38 2022, Last Saved Time/Date: Mon Dec 5 16:18:38 2022, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2 |
| MD5: | 123E08900A96C6F2F8EDF6F7C8658436 |
| SHA1: | DA2AB9FFA5011065E3CAF4A6EE539790E514AB2F |
| SHA256: | F677D2FFFD8BCE6F18A28B156C937E1E28A83BB2A29E2470E76D9314C2168678 |
| SSDEEP: | 12288:mwHL0D7BkCPumy9chfA+tk8B0igC+/NHBQ1SdwS:PHL0R/zyt++8BtZKBmS+ |
MALICIOUS
Creates a writable file the system directory
- msiexec.exe (PID: 5596)
Loads dropped or rewritten executable
- rundll32.exe (PID: 1884)
- MsiExec.exe (PID: 5264)
- rundll32.exe (PID: 5820)
ICEDID was detected
- rundll32.exe (PID: 5820)
SUSPICIOUS
Searches for installed software
- msiexec.exe (PID: 5596)
Executes as Windows Service
- vssvc.exe (PID: 6096)
Application launched itself
- msiexec.exe (PID: 5596)
- rundll32.exe (PID: 1884)
Starts Microsoft Installer
- msiexec.exe (PID: 5596)
Uses RUNDLL32.EXE to load library
- MsiExec.exe (PID: 5264)
- rundll32.exe (PID: 1884)
Creates a software uninstall entry
- msiexec.exe (PID: 5596)
Reads settings of System Certificates
- SLUI.exe (PID: 2192)
- slui.exe (PID: 5680)
INFO
Creates files in the Windows directory
- msiexec.exe (PID: 5596)
Checks supported languages
- conhost.exe (PID: 1068)
Creates a file in a temporary directory
- rundll32.exe (PID: 1884)
Executable content was dropped or overwritten
- msiexec.exe (PID: 5596)
Reads the software policy settings
- SLUI.exe (PID: 2192)
- slui.exe (PID: 5680)
Checks proxy server information
- slui.exe (PID: 5680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Installer (100) |
|---|
Total processes
140
Monitored processes
13
Malicious processes
7
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 308 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\current_yet.msi" | C:\Windows\System32\msiexec.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 700 | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneDriveFile Co-Authoring Executable Exit code: 0 Version: 19.043.0304.0013 Modules
| |||||||||||||||
| 1068 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | \??\C:\WINDOWS\system32\conhost.exe | — | srtasks.exe | |||||||||||
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 Modules
| |||||||||||||||
| 1884 | rundll32.exe "C:\WINDOWS\Installer\MSI3F6C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1064890 2 test.cs!Test.CustomActions.MyAction | C:\WINDOWS\system32\rundll32.exe | — | MsiExec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2192 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\WINDOWS\System32\SLUI.exe | SppExtComObj.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2580 | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneDriveFile Co-Authoring Executable Exit code: 0 Version: 19.043.0304.0013 Modules
| |||||||||||||||
| 3164 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1 | C:\WINDOWS\system32\srtasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4836 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\WINDOWS\system32\SppExtComObj.exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Exit code: 0 Version: 10.0.19041.1202 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5264 | C:\Windows\System32\MsiExec.exe -Embedding D0776224F72CEE2E0ABECACB92AF776A | C:\Windows\System32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5596 | C:\WINDOWS\system32\msiexec.exe /V | C:\WINDOWS\system32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
8 789
Read events
8 495
Write events
272
Delete events
22
Modification events
| (PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore |
| Operation: | write | Name: | RPSessionInterval |
Value: 0 | |||
| (PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Setup_Last |
| Operation: | write | Name: | Upgrade_{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513} |
Value: \\?\Volume{f3242fb5-0000-0000-0000-501f00000000}\:(C%3A) | |||
| (PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients |
| Operation: | write | Name: | {09F7EDC5-294E-4180-AF6A-FB0E6A0E9513} |
Value: \\?\Volume{2f5c5e72-85a9-11eb-90a8-9a9b76358421}\:(C%3A) | |||
| (PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore |
| Operation: | write | Name: | RPSessionInterval |
Value: 1 | |||
| (PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore |
| Operation: | write | Name: | FirstRun |
Value: 0 | |||
| (PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore |
| Operation: | write | Name: | LastIndex |
Value: 0 | |||
| (PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile |
| Operation: | write | Name: | NestingLevel |
Value: 0 | |||
| (PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile |
| Operation: | write | Name: | StartNesting |
Value: 0000000000000000 | |||
| (PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore |
| Operation: | write | Name: | SRInitDone |
Value: 1 | |||
| (PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Setup\PreviousOSUpgrade |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
7
Suspicious files
16
Text files
2
Unknown types
7
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5596 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 5596 | msiexec.exe | C:\WINDOWS\Installer\MSI3F6C.tmp | executable | |
MD5:— | SHA256:— | |||
| 5596 | msiexec.exe | C:\WINDOWS\Installer\103eef.msi | executable | |
MD5:— | SHA256:— | |||
| 5596 | msiexec.exe | C:\WINDOWS\System32\Restore\MachineGuid.txt | binary | |
MD5:— | SHA256:— | |||
| 5596 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{fedefcdc-b606-4413-8fae-74594112c39e}_OnDiskSnapshotProp | binary | |
MD5:— | SHA256:— | |||
| 1884 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log | text | |
MD5:— | SHA256:— | |||
| 1884 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\MSI3F6C.tmp-\test.cs.dll | executable | |
MD5:— | SHA256:— | |||
| 1884 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\tmp4076.dll | executable | |
MD5:— | SHA256:— | |||
| 1884 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\MSI3F6C.tmp-\Microsoft.Deployment.WindowsInstaller.dll | executable | |
MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA | SHA256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA | |||
| 5596 | msiexec.exe | C:\Config.Msi\103ef0.rbs | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
71
TCP/UDP connections
71
DNS requests
23
Threats
15
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6084 | sihclient.exe | GET | 304 | 52.152.110.14:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL | US | — | — | whitelisted |
1012 | svchost.exe | POST | 400 | 40.126.32.140:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 210 b | whitelisted |
1012 | svchost.exe | POST | 400 | 40.126.32.140:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 210 b | whitelisted |
5820 | rundll32.exe | GET | 404 | 165.227.104.80:80 | http://kamintrewftor.com/ | US | html | 271 b | malicious |
— | — | GET | 200 | 4.231.128.59:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.1165&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4 | IE | binary | 3.35 Kb | whitelisted |
— | — | POST | 400 | 40.126.32.140:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 210 b | whitelisted |
1012 | svchost.exe | POST | 400 | 40.126.32.140:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 210 b | whitelisted |
1012 | svchost.exe | POST | 400 | 40.126.32.140:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 210 b | whitelisted |
1012 | svchost.exe | POST | 400 | 40.126.32.140:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 210 b | whitelisted |
6084 | sihclient.exe | GET | 200 | 95.101.54.128:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | DE | der | 1.11 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 40.113.103.199:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1012 | svchost.exe | 40.126.32.140:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | suspicious |
2724 | svchost.exe | 40.113.103.199:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5820 | rundll32.exe | 165.227.104.80:80 | kamintrewftor.com | DIGITALOCEAN-ASN | US | malicious |
6084 | sihclient.exe | 52.152.110.14:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6084 | sihclient.exe | 95.101.54.128:80 | crl.microsoft.com | Akamai International B.V. | DE | suspicious |
3584 | mousocoreworker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | suspicious |
4400 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | suspicious |
4348 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | suspicious |
2916 | svchost.exe | 104.79.89.142:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
client.wns.windows.com |
| whitelisted |
kamintrewftor.com |
| malicious |
slscr.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
5820 | rundll32.exe | A Network Trojan was detected | ET TROJAN Win32/IcedID Request Cookie |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
5412 | svchost.exe | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |