f677d2fffd8bce6f18a28b156c937e1e28a83bb2a29e2470e76d9314c2168678

Add for printing

File name:	current_yet.msi
Full analysis:	https://app.any.run/tasks/1c76afdc-4eb0-4123-8102-f97104129b64
Verdict:	Malicious activity
Threats:	IcedID is a banking trojan-type malware which allows attackers to utilize it to steal banking credentials of the victims. IcedID aka BokBot mainly targets businesses and steals payment information, it also acts as a loader and can deliver another viruses or download additional modules. Malware Trends Tracker >>>
Analysis date:	December 05, 2022, 22:44:13
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	trojan icedid
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MyProduct, Author: User, Keywords: Installer, Comments: This installer database contains the logic and data required to install MyProduct., Template: x64;1033, Revision Number: {6F330B47-2577-43AD-9095-1861BA25889B}, Create Time/Date: Mon Dec 5 16:18:38 2022, Last Saved Time/Date: Mon Dec 5 16:18:38 2022, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:	123E08900A96C6F2F8EDF6F7C8658436
SHA1:	DA2AB9FFA5011065E3CAF4A6EE539790E514AB2F
SHA256:	F677D2FFFD8BCE6F18A28B156C937E1E28A83BB2A29E2470E76D9314C2168678
SSDEEP:	12288:mwHL0D7BkCPumy9chfA+tk8B0igC+/NHBQ1SdwS:PHL0R/zyt++8BtZKBmS+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 660 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: on
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.789.19041.0 undefined
Adobe Acrobat Reader DC (20.013.20074)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (5.74)
FileZilla Client 3.51.0 (3.51.0)
Google Chrome (87.0.4280.88)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Microsoft Edge (104.0.1293.63)
Microsoft Edge Update (1.3.167.21)
Microsoft Office Professional 2019 - de-de (16.0.12026.20264)
Microsoft Office Professional 2019 - en-us (16.0.12026.20264)
Microsoft Office Professional 2019 - es-es (16.0.12026.20264)
Microsoft Office Professional 2019 - it-it (16.0.12026.20264)
Microsoft Office Professional 2019 - ja-jp (16.0.12026.20264)
Microsoft Office Professional 2019 - ko-kr (16.0.12026.20264)
Microsoft Office Professional 2019 - pt-br (16.0.12026.20264)
Microsoft Office Professional 2019 - tr-tr (16.0.12026.20264)
Microsoft Office Professionnel 2019 - fr-fr (16.0.12026.20264)
Microsoft Office профессиональный 2019 - ru-ru (16.0.12026.20264)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 (14.30.30704.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.30.30704 (14.30.30704)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.30.30704 (14.30.30704)
Mozilla Firefox 84.0 (x64 en-US) (84.0)
Mozilla Maintenance Service (84.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.12026.20264)
Office 16 Click-to-Run Licensing Component (16.0.12026.20264)
Office 16 Click-to-Run Localization Component (16.0.12026.20264)
Opera 12.15 (12.15.1748)
QGA (2.14.32)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.67.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
VLC media player (3.0.11)
WinRAR 5.60 (64-bit) (5.60.0)
Windows 10 Upgrade Assistant (1.4.9200.22175)

Hotfixes

Client LanguagePack Package
DotNetRollup
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Creates a writable file the system directory
  - msiexec.exe (PID: 5596)
- ICEDID was detected
  - rundll32.exe (PID: 5820)
- Loads dropped or rewritten executable
  - rundll32.exe (PID: 5820)
  - rundll32.exe (PID: 1884)
  - MsiExec.exe (PID: 5264)
SUSPICIOUS
- Application launched itself
  - msiexec.exe (PID: 5596)
  - rundll32.exe (PID: 1884)
- Searches for installed software
  - msiexec.exe (PID: 5596)
- Uses RUNDLL32.EXE to load library
  - MsiExec.exe (PID: 5264)
  - rundll32.exe (PID: 1884)
- Executes as Windows Service
  - vssvc.exe (PID: 6096)
- Starts Microsoft Installer
  - msiexec.exe (PID: 5596)
- Creates a software uninstall entry
  - msiexec.exe (PID: 5596)
- Reads settings of System Certificates
  - SLUI.exe (PID: 2192)
  - slui.exe (PID: 5680)
INFO
- Creates files in the Windows directory
  - msiexec.exe (PID: 5596)
- Checks supported languages
  - conhost.exe (PID: 1068)
- Creates a file in a temporary directory
  - rundll32.exe (PID: 1884)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 5596)
- Checks proxy server information
  - slui.exe (PID: 5680)
- Reads the software policy settings
  - SLUI.exe (PID: 2192)
  - slui.exe (PID: 5680)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi

Microsoft Installer (100)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

140

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

308

"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\current_yet.msi"

C:\Windows\System32\msiexec.exe

—

Explorer.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

5596

C:\WINDOWS\system32\msiexec.exe /V

C:\WINDOWS\system32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

6096

C:\WINDOWS\system32\vssvc.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3164

C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1

C:\WINDOWS\system32\srtasks.exe

—

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Windows System Protection background tasks.

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

1068

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

\??\C:\WINDOWS\system32\conhost.exe

—

srtasks.exe

User:

SYSTEM

Integrity Level:

SYSTEM

Exit code:

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5264

C:\Windows\System32\MsiExec.exe -Embedding D0776224F72CEE2E0ABECACB92AF776A

C:\Windows\System32\MsiExec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll

1884

rundll32.exe "C:\WINDOWS\Installer\MSI3F6C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1064890 2 test.cs!Test.CustomActions.MyAction

C:\WINDOWS\system32\rundll32.exe

—

MsiExec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

5820

"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\tmp4076.dll",init

C:\Windows\System32\rundll32.exe

rundll32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

4836

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\WINDOWS\system32\SppExtComObj.exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Exit code:

Version:

10.0.19041.1202 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll

2192

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\WINDOWS\System32\SLUI.exe

SppExtComObj.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

Add for printing

Total events

8 789

Read events

8 495

Write events

272

Delete events

Modification events


(PID) Process:	(5596) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:	write	Name:	RPSessionInterval
Value: 0
(PID) Process:	(5596) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Setup_Last
Operation:	write	Name:	Upgrade_{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}
Value: \\?\Volume{f3242fb5-0000-0000-0000-501f00000000}\:(C%3A)
(PID) Process:	(5596) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients
Operation:	write	Name:	{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}
Value: \\?\Volume{2f5c5e72-85a9-11eb-90a8-9a9b76358421}\:(C%3A)
(PID) Process:	(5596) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:	write	Name:	RPSessionInterval
Value: 1
(PID) Process:	(5596) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:	write	Name:	FirstRun
Value: 0
(PID) Process:	(5596) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:	write	Name:	LastIndex
Value: 0
(PID) Process:	(5596) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
Operation:	write	Name:	NestingLevel
Value: 0
(PID) Process:	(5596) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
Operation:	write	Name:	StartNesting
Value: 0000000000000000
(PID) Process:	(5596) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:	write	Name:	SRInitDone
Value: 1
(PID) Process:	(5596) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Setup\PreviousOSUpgrade
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5596	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
5596	msiexec.exe	C:\WINDOWS\Installer\103eef.msi		executable
		MD5:123E08900A96C6F2F8EDF6F7C8658436	SHA256:F677D2FFFD8BCE6F18A28B156C937E1E28A83BB2A29E2470E76D9314C2168678
1884	rundll32.exe	C:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log		text
		MD5:F4D4EFE2A9C613239F1766C28571C09C	SHA256:F4FE052C87623041BEC428960320E04CDC1F1DD61F63F7C775DA617C8DE78C6D
5596	msiexec.exe	C:\WINDOWS\TEMP\~DF6938FA49DE02AC2A.TMP		gmc
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
5596	msiexec.exe	C:\WINDOWS\Installer\MSI3F6C.tmp		executable
		MD5:58764E57ACBEEC211E0DC2D07CA2FB3E	SHA256:13954D45B324BA4C5C4148CBD469289E62F783B0304ABA398CF426A993A5A379
1884	rundll32.exe	C:\Users\admin\AppData\Local\Temp\MSI3F6C.tmp-\CustomAction.config		xml
		MD5:C9C40AF1656F8531EAA647CACEB1E436	SHA256:1A67F60962CA1CBF19873B62A8518EFE8C701A09CD609AF4C50ECC7F0B468BB8
5596	msiexec.exe	C:\Config.Msi\103ef0.rbs		binary
		MD5:031D4AB894C988FB556AAA3B6B632F39	SHA256:D2AF89A9DDD9A482E45C156569B0062C3BDE57EED68347A5123759983D52BBDC
5596	msiexec.exe	C:\WINDOWS\Installer\MSI4180.tmp		binary
		MD5:B2A7F77398EA00C278882B0C61026405	SHA256:683135E4400F671D456E57F8F43AD7D0843FE86442E307EB8E61A6C771E076AA
1884	rundll32.exe	C:\Users\admin\AppData\Local\Temp\MSI3F6C.tmp-\test.cs.dll		executable
		MD5:5DC2EF88EEEB59E7410002B0F32E179E	SHA256:950039790D9035228978CE644429AF1587225503C8631392F1C03ED6FD77BB6A
5596	msiexec.exe	C:\WINDOWS\System32\Restore\MachineGuid.txt		binary
		MD5:D5EC15DFB0B6763D0EAA47E07CD5DA8F	SHA256:0A7123DD1C4C04941BC6433F4BCEB958DE8AE1101E0DEAC08F6270582A42FE67

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	4.231.128.59:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.1165&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4	IE	binary	3.35 Kb	whitelisted
—	—	POST	200	40.126.32.140:443	https://login.live.com/RST2.srf	US	xml	1.25 Kb	whitelisted
—	—	POST	400	40.126.32.140:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	210 b	whitelisted
—	—	POST	400	40.126.32.140:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	210 b	whitelisted
1012	svchost.exe	POST	400	40.126.32.140:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	210 b	whitelisted
1012	svchost.exe	POST	400	40.126.32.140:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	210 b	whitelisted
1012	svchost.exe	POST	400	40.126.32.140:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	210 b	whitelisted
1012	svchost.exe	POST	400	40.126.32.140:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	210 b	whitelisted
1012	svchost.exe	POST	400	40.126.32.140:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	210 b	whitelisted
5820	rundll32.exe	GET	404	165.227.104.80:80	http://kamintrewftor.com/	US	html	271 b	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6084	sihclient.exe	52.152.110.14:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5820	rundll32.exe	165.227.104.80:80	kamintrewftor.com	DIGITALOCEAN-ASN	US	malicious
2724	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1012	svchost.exe	40.126.32.140:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	suspicious
6084	sihclient.exe	95.101.54.128:80	crl.microsoft.com	Akamai International B.V.	DE	suspicious
6084	sihclient.exe	52.152.108.96:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	suspicious
6084	sihclient.exe	104.79.89.142:80	www.microsoft.com	AKAMAI-AS	DE	malicious
2916	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3584	mousocoreworker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	suspicious

DNS requests

Domain	IP	Reputation
client.wns.windows.com	40.113.103.199 40.113.110.67	whitelisted
kamintrewftor.com	165.227.104.80	malicious
slscr.update.microsoft.com	52.152.110.14	whitelisted
crl.microsoft.com	95.101.54.128 95.101.54.122 2.19.126.97 2.19.126.87	whitelisted
www.microsoft.com	104.79.89.142 23.35.229.160	whitelisted
fe3cr.delivery.mp.microsoft.com	52.152.108.96	whitelisted
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.109.13.63	whitelisted
self.events.data.microsoft.com	51.132.193.104	whitelisted

Threats

PID	Process	Class	Message
5820	rundll32.exe	A Network Trojan was detected	ET TROJAN Win32/IcedID Request Cookie
5412	svchost.exe	Misc activity	ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
5412	svchost.exe	Misc activity	ET INFO Windows OS Submitting USB Metadata to Microsoft
5412	svchost.exe	Misc activity	ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
5412	svchost.exe	Misc activity	ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
5412	svchost.exe	Misc activity	ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
5412	svchost.exe	Misc activity	ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
5412	svchost.exe	Misc activity	ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
5412	svchost.exe	Misc activity	ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
5412	svchost.exe	Misc activity	ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent

Add for printing

No debug info

General Info

current_yet.msi

123E08900A96C6F2F8EDF6F7C8658436

DA2AB9FFA5011065E3CAF4A6EE539790E514AB2F

F677D2FFFD8BCE6F18A28B156C937E1E28A83BB2A29E2470E76D9314C2168678

12288:mwHL0D7BkCPumy9chfA+tk8B0igC+/NHBQ1SdwS:PHL0R/zyt++8BtZKBmS+

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Creates a writable file the system directory

ICEDID was detected

Loads dropped or rewritten executable

SUSPICIOUS

Application launched itself

Searches for installed software

Uses RUNDLL32.EXE to load library

Executes as Windows Service

Starts Microsoft Installer

Creates a software uninstall entry

Reads settings of System Certificates

INFO

Creates files in the Windows directory

Checks supported languages

Creates a file in a temporary directory

Executable content was dropped or overwritten

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings