File name: | current_yet.msi |
Full analysis: | https://app.any.run/tasks/1c76afdc-4eb0-4123-8102-f97104129b64 |
Verdict: | Malicious activity |
Threats: | IcedID is a banking trojan-type malware which allows attackers to utilize it to steal banking credentials of the victims. IcedID aka BokBot mainly targets businesses and steals payment information, it also acts as a loader and can deliver another viruses or download additional modules. |
Analysis date: | December 05, 2022, 22:44:13 |
OS: | Windows 10 Professional (build: 19044, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MyProduct, Author: User, Keywords: Installer, Comments: This installer database contains the logic and data required to install MyProduct., Template: x64;1033, Revision Number: {6F330B47-2577-43AD-9095-1861BA25889B}, Create Time/Date: Mon Dec 5 16:18:38 2022, Last Saved Time/Date: Mon Dec 5 16:18:38 2022, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2 |
MD5: | 123E08900A96C6F2F8EDF6F7C8658436 |
SHA1: | DA2AB9FFA5011065E3CAF4A6EE539790E514AB2F |
SHA256: | F677D2FFFD8BCE6F18A28B156C937E1E28A83BB2A29E2470E76D9314C2168678 |
SSDEEP: | 12288:mwHL0D7BkCPumy9chfA+tk8B0igC+/NHBQ1SdwS:PHL0R/zyt++8BtZKBmS+ |
.msi | | | Microsoft Installer (100) |
---|
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
308 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\current_yet.msi" | C:\Windows\System32\msiexec.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5596 | C:\WINDOWS\system32\msiexec.exe /V | C:\WINDOWS\system32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6096 | C:\WINDOWS\system32\vssvc.exe | C:\WINDOWS\system32\vssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
3164 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1 | C:\WINDOWS\system32\srtasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
1068 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | \??\C:\WINDOWS\system32\conhost.exe | — | srtasks.exe | |||||||||||
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 Modules
| |||||||||||||||
5264 | C:\Windows\System32\MsiExec.exe -Embedding D0776224F72CEE2E0ABECACB92AF776A | C:\Windows\System32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
1884 | rundll32.exe "C:\WINDOWS\Installer\MSI3F6C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1064890 2 test.cs!Test.CustomActions.MyAction | C:\WINDOWS\system32\rundll32.exe | — | MsiExec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5820 | "C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\tmp4076.dll",init | C:\Windows\System32\rundll32.exe | rundll32.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
4836 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\WINDOWS\system32\SppExtComObj.exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Exit code: 0 Version: 10.0.19041.1202 (WinBuild.160101.0800) Modules
| |||||||||||||||
2192 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\WINDOWS\System32\SLUI.exe | SppExtComObj.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore |
Operation: | write | Name: | RPSessionInterval |
Value: 0 | |||
(PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Setup_Last |
Operation: | write | Name: | Upgrade_{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513} |
Value: \\?\Volume{f3242fb5-0000-0000-0000-501f00000000}\:(C%3A) | |||
(PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients |
Operation: | write | Name: | {09F7EDC5-294E-4180-AF6A-FB0E6A0E9513} |
Value: \\?\Volume{2f5c5e72-85a9-11eb-90a8-9a9b76358421}\:(C%3A) | |||
(PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore |
Operation: | write | Name: | RPSessionInterval |
Value: 1 | |||
(PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore |
Operation: | write | Name: | FirstRun |
Value: 0 | |||
(PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore |
Operation: | write | Name: | LastIndex |
Value: 0 | |||
(PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile |
Operation: | write | Name: | NestingLevel |
Value: 0 | |||
(PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile |
Operation: | write | Name: | StartNesting |
Value: 0000000000000000 | |||
(PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore |
Operation: | write | Name: | SRInitDone |
Value: 1 | |||
(PID) Process: | (5596) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Setup\PreviousOSUpgrade |
Operation: | delete key | Name: | (default) |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
5596 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
1884 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\tmp4076.dll | executable | |
MD5:C7CA67A72A6CAD3FC366E6E172539859 | SHA256:C705008B6656FEABE462EBB2363D6A259581CEA574872CB1C6C440DBD23AD4FA | |||
1884 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\MSI3F6C.tmp-\test.cs.dll | executable | |
MD5:5DC2EF88EEEB59E7410002B0F32E179E | SHA256:950039790D9035228978CE644429AF1587225503C8631392F1C03ED6FD77BB6A | |||
5596 | msiexec.exe | C:\WINDOWS\Installer\103eef.msi | executable | |
MD5:123E08900A96C6F2F8EDF6F7C8658436 | SHA256:F677D2FFFD8BCE6F18A28B156C937E1E28A83BB2A29E2470E76D9314C2168678 | |||
5596 | msiexec.exe | C:\WINDOWS\Installer\MSI4180.tmp | binary | |
MD5:B2A7F77398EA00C278882B0C61026405 | SHA256:683135E4400F671D456E57F8F43AD7D0843FE86442E307EB8E61A6C771E076AA | |||
5596 | msiexec.exe | C:\WINDOWS\System32\Restore\MachineGuid.txt | binary | |
MD5:D5EC15DFB0B6763D0EAA47E07CD5DA8F | SHA256:0A7123DD1C4C04941BC6433F4BCEB958DE8AE1101E0DEAC08F6270582A42FE67 | |||
5596 | msiexec.exe | C:\WINDOWS\TEMP\~DF1F9EAA33970F3438.TMP | binary | |
MD5:F4D674F77CABB760E94AD803E843563C | SHA256:B5D17DA020CF7846045CEAEB3E29B8BA7BA142742F0B38EA460AE74DF5434659 | |||
5596 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{fedefcdc-b606-4413-8fae-74594112c39e}_OnDiskSnapshotProp | binary | |
MD5:47A8AC415D09FECD52FE0DCCC228052F | SHA256:D7A7DD044072FAF0D5731E03FB8A47643D0553C9402D3996E97D664CFFE74E38 | |||
5596 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:47A8AC415D09FECD52FE0DCCC228052F | SHA256:D7A7DD044072FAF0D5731E03FB8A47643D0553C9402D3996E97D664CFFE74E38 | |||
5596 | msiexec.exe | C:\WINDOWS\TEMP\~DFC7368E0F3C41BC7A.TMP | binary | |
MD5:F4D674F77CABB760E94AD803E843563C | SHA256:B5D17DA020CF7846045CEAEB3E29B8BA7BA142742F0B38EA460AE74DF5434659 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
6084 | sihclient.exe | GET | 200 | 95.101.54.128:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | DE | der | 1.11 Kb | whitelisted |
— | — | POST | 200 | 40.126.32.140:443 | https://login.live.com/RST2.srf | US | xml | 1.25 Kb | whitelisted |
6084 | sihclient.exe | GET | 304 | 52.152.110.14:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL | US | — | — | whitelisted |
— | — | POST | 400 | 40.126.32.140:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 210 b | whitelisted |
— | — | POST | 400 | 40.126.32.140:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 210 b | whitelisted |
1012 | svchost.exe | POST | 400 | 40.126.32.140:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 210 b | whitelisted |
— | — | GET | 200 | 4.231.128.59:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.1165&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4 | IE | binary | 3.35 Kb | whitelisted |
1012 | svchost.exe | POST | 400 | 40.126.32.140:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 210 b | whitelisted |
1012 | svchost.exe | POST | 400 | 40.126.32.140:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 210 b | whitelisted |
5820 | rundll32.exe | GET | 404 | 165.227.104.80:80 | http://kamintrewftor.com/ | US | html | 271 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2724 | svchost.exe | 40.113.103.199:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6084 | sihclient.exe | 95.101.54.128:80 | crl.microsoft.com | Akamai International B.V. | DE | suspicious |
6084 | sihclient.exe | 52.152.110.14:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5820 | rundll32.exe | 165.227.104.80:80 | kamintrewftor.com | DIGITALOCEAN-ASN | US | malicious |
1012 | svchost.exe | 40.126.32.140:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | suspicious |
— | — | 40.113.103.199:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4348 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | suspicious |
6084 | sihclient.exe | 104.79.89.142:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
3584 | mousocoreworker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | suspicious |
2916 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
client.wns.windows.com |
| whitelisted |
kamintrewftor.com |
| malicious |
slscr.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
5820 | rundll32.exe | A Network Trojan was detected | ET TROJAN Win32/IcedID Request Cookie |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
5412 | svchost.exe | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |
5412 | svchost.exe | Misc activity | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent |