File name:

current_yet.msi

Full analysis: https://app.any.run/tasks/1c76afdc-4eb0-4123-8102-f97104129b64
Verdict: Malicious activity
Threats:

IcedID is a banking trojan-type malware which allows attackers to utilize it to steal banking credentials of the victims. IcedID aka BokBot mainly targets businesses and steals payment information, it also acts as a loader and can deliver another viruses or download additional modules.

Analysis date: December 05, 2022, 22:44:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
trojan
icedid
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MyProduct, Author: User, Keywords: Installer, Comments: This installer database contains the logic and data required to install MyProduct., Template: x64;1033, Revision Number: {6F330B47-2577-43AD-9095-1861BA25889B}, Create Time/Date: Mon Dec 5 16:18:38 2022, Last Saved Time/Date: Mon Dec 5 16:18:38 2022, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

123E08900A96C6F2F8EDF6F7C8658436

SHA1:

DA2AB9FFA5011065E3CAF4A6EE539790E514AB2F

SHA256:

F677D2FFFD8BCE6F18A28B156C937E1E28A83BB2A29E2470E76D9314C2168678

SSDEEP:

12288:mwHL0D7BkCPumy9chfA+tk8B0igC+/NHBQ1SdwS:PHL0R/zyt++8BtZKBmS+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Creates a writable file the system directory

      • msiexec.exe (PID: 5596)
    • ICEDID was detected

      • rundll32.exe (PID: 5820)
    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 5820)
      • rundll32.exe (PID: 1884)
      • MsiExec.exe (PID: 5264)
  • SUSPICIOUS

    • Application launched itself

      • msiexec.exe (PID: 5596)
      • rundll32.exe (PID: 1884)
    • Searches for installed software

      • msiexec.exe (PID: 5596)
    • Uses RUNDLL32.EXE to load library

      • MsiExec.exe (PID: 5264)
      • rundll32.exe (PID: 1884)
    • Executes as Windows Service

      • vssvc.exe (PID: 6096)
    • Starts Microsoft Installer

      • msiexec.exe (PID: 5596)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 5596)
    • Reads settings of System Certificates

      • SLUI.exe (PID: 2192)
      • slui.exe (PID: 5680)
  • INFO

    • Creates files in the Windows directory

      • msiexec.exe (PID: 5596)
    • Checks supported languages

      • conhost.exe (PID: 1068)
    • Creates a file in a temporary directory

      • rundll32.exe (PID: 1884)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5596)
    • Checks proxy server information

      • slui.exe (PID: 5680)
    • Reads the software policy settings

      • SLUI.exe (PID: 2192)
      • slui.exe (PID: 5680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
13
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe no specs #ICEDID rundll32.exe sppextcomobj.exe no specs slui.exe slui.exe filecoauth.exe no specs filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
308"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\current_yet.msi"C:\Windows\System32\msiexec.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
5596C:\WINDOWS\system32\msiexec.exe /VC:\WINDOWS\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6096C:\WINDOWS\system32\vssvc.exeC:\WINDOWS\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3164C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1C:\WINDOWS\system32\srtasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
1068\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1\??\C:\WINDOWS\system32\conhost.exesrtasks.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5264C:\Windows\System32\MsiExec.exe -Embedding D0776224F72CEE2E0ABECACB92AF776AC:\Windows\System32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
1884rundll32.exe "C:\WINDOWS\Installer\MSI3F6C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1064890 2 test.cs!Test.CustomActions.MyActionC:\WINDOWS\system32\rundll32.exeMsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
5820"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\tmp4076.dll",initC:\Windows\System32\rundll32.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4836C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\WINDOWS\system32\SppExtComObj.exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.1202 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
2192"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\WINDOWS\System32\SLUI.exe
SppExtComObj.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
Total events
8 789
Read events
8 495
Write events
272
Delete events
22

Modification events

(PID) Process:(5596) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:writeName:RPSessionInterval
Value:
0
(PID) Process:(5596) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Setup_Last
Operation:writeName:Upgrade_{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}
Value:
\\?\Volume{f3242fb5-0000-0000-0000-501f00000000}\:(C%3A)
(PID) Process:(5596) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients
Operation:writeName:{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}
Value:
\\?\Volume{2f5c5e72-85a9-11eb-90a8-9a9b76358421}\:(C%3A)
(PID) Process:(5596) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:writeName:RPSessionInterval
Value:
1
(PID) Process:(5596) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:writeName:FirstRun
Value:
0
(PID) Process:(5596) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:writeName:LastIndex
Value:
0
(PID) Process:(5596) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
Operation:writeName:NestingLevel
Value:
0
(PID) Process:(5596) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
Operation:writeName:StartNesting
Value:
0000000000000000
(PID) Process:(5596) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Operation:writeName:SRInitDone
Value:
1
(PID) Process:(5596) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Setup\PreviousOSUpgrade
Operation:delete keyName:(default)
Value:
Executable files
7
Suspicious files
16
Text files
2
Unknown types
7

Dropped files

PID
Process
Filename
Type
5596msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
5596msiexec.exeC:\WINDOWS\Installer\103eef.msiexecutable
MD5:123E08900A96C6F2F8EDF6F7C8658436
SHA256:F677D2FFFD8BCE6F18A28B156C937E1E28A83BB2A29E2470E76D9314C2168678
1884rundll32.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.logtext
MD5:F4D4EFE2A9C613239F1766C28571C09C
SHA256:F4FE052C87623041BEC428960320E04CDC1F1DD61F63F7C775DA617C8DE78C6D
5596msiexec.exeC:\WINDOWS\TEMP\~DF6938FA49DE02AC2A.TMPgmc
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
5596msiexec.exeC:\WINDOWS\Installer\MSI3F6C.tmpexecutable
MD5:58764E57ACBEEC211E0DC2D07CA2FB3E
SHA256:13954D45B324BA4C5C4148CBD469289E62F783B0304ABA398CF426A993A5A379
1884rundll32.exeC:\Users\admin\AppData\Local\Temp\MSI3F6C.tmp-\CustomAction.configxml
MD5:C9C40AF1656F8531EAA647CACEB1E436
SHA256:1A67F60962CA1CBF19873B62A8518EFE8C701A09CD609AF4C50ECC7F0B468BB8
5596msiexec.exeC:\Config.Msi\103ef0.rbsbinary
MD5:031D4AB894C988FB556AAA3B6B632F39
SHA256:D2AF89A9DDD9A482E45C156569B0062C3BDE57EED68347A5123759983D52BBDC
5596msiexec.exeC:\WINDOWS\Installer\MSI4180.tmpbinary
MD5:B2A7F77398EA00C278882B0C61026405
SHA256:683135E4400F671D456E57F8F43AD7D0843FE86442E307EB8E61A6C771E076AA
1884rundll32.exeC:\Users\admin\AppData\Local\Temp\MSI3F6C.tmp-\test.cs.dllexecutable
MD5:5DC2EF88EEEB59E7410002B0F32E179E
SHA256:950039790D9035228978CE644429AF1587225503C8631392F1C03ED6FD77BB6A
5596msiexec.exeC:\WINDOWS\System32\Restore\MachineGuid.txtbinary
MD5:D5EC15DFB0B6763D0EAA47E07CD5DA8F
SHA256:0A7123DD1C4C04941BC6433F4BCEB958DE8AE1101E0DEAC08F6270582A42FE67
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
71
TCP/UDP connections
71
DNS requests
23
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.1165&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4
IE
binary
3.35 Kb
whitelisted
POST
200
40.126.32.140:443
https://login.live.com/RST2.srf
US
xml
1.25 Kb
whitelisted
POST
400
40.126.32.140:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
210 b
whitelisted
POST
400
40.126.32.140:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
210 b
whitelisted
1012
svchost.exe
POST
400
40.126.32.140:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
210 b
whitelisted
1012
svchost.exe
POST
400
40.126.32.140:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
210 b
whitelisted
1012
svchost.exe
POST
400
40.126.32.140:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
210 b
whitelisted
1012
svchost.exe
POST
400
40.126.32.140:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
210 b
whitelisted
1012
svchost.exe
POST
400
40.126.32.140:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
210 b
whitelisted
5820
rundll32.exe
GET
404
165.227.104.80:80
http://kamintrewftor.com/
US
html
271 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6084
sihclient.exe
52.152.110.14:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5820
rundll32.exe
165.227.104.80:80
kamintrewftor.com
DIGITALOCEAN-ASN
US
malicious
2724
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1012
svchost.exe
40.126.32.140:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
suspicious
6084
sihclient.exe
95.101.54.128:80
crl.microsoft.com
Akamai International B.V.
DE
suspicious
6084
sihclient.exe
52.152.108.96:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
suspicious
6084
sihclient.exe
104.79.89.142:80
www.microsoft.com
AKAMAI-AS
DE
malicious
2916
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3584
mousocoreworker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
suspicious

DNS requests

Domain
IP
Reputation
client.wns.windows.com
  • 40.113.103.199
  • 40.113.110.67
whitelisted
kamintrewftor.com
  • 165.227.104.80
malicious
slscr.update.microsoft.com
  • 52.152.110.14
whitelisted
crl.microsoft.com
  • 95.101.54.128
  • 95.101.54.122
  • 2.19.126.97
  • 2.19.126.87
whitelisted
www.microsoft.com
  • 104.79.89.142
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.152.108.96
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.109.13.63
whitelisted
self.events.data.microsoft.com
  • 51.132.193.104
whitelisted

Threats

PID
Process
Class
Message
5820
rundll32.exe
A Network Trojan was detected
ET TROJAN Win32/IcedID Request Cookie
5412
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
5412
svchost.exe
Misc activity
ET INFO Windows OS Submitting USB Metadata to Microsoft
5412
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
5412
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
5412
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
5412
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
5412
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
5412
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
5412
svchost.exe
Misc activity
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
No debug info