Potential Malware - CryptoProviderInstaller but signature is invalid FP?

[soccer97]

Hi Everyone,

HitmanPro was doing a routine scan, file date is 01/26/17.I have a file that is potentially malicious, has an invalid/no digital signature and is from Intel. It has a 55% malicious rating and I am on the fence about what to do. Anyone's advice would be appreciated!

Screenshots in Hybris-Analysis Link

By cross referencing the memory forensics - I get a malicious indicator from Metadefender (1/5) (queried VTotal for the appcrawler website IP.

MetaDefender exe Analysis

Hybrid Analysis

VirusTotal

It was in location:C:\ProgramData\Package Cache\{dda6f161-ee24-46c4-9ebb-45abd7cf0eb7}

I am wondering if It's a FP. HitmanPro was doing a routine scan, file date is 01/26/17.

Another file in the directory was: state.rsm

If I quarantine it, and its an Intel related file - will I screw up my PC?

Thanks to anyone for your help.

 

[soccer97]

I found this new feature/one I didn't know about in HitmanPro

Properties
Name CryptoProviderInstaller.exe
Location C:\ProgramData\Package Cache\{dda6f161-ee24-46c4-9ebb-45abd7cf0eb7}
Size 579 KB
Time 15.1 days ago (2017-01-26 20:22:04)
Authenticode Invalid
Entropy 7.1
Product Cryptographic Provider for Windows OS
Publisher Intel Corpration
Description Cryptographic Provider for Windows OS
Version 1.0.0
Copyright Copyright (C) 2017 Intel Corporation
RSA Key Size 2048
LanguageID 1033
SHA-256 2A53CE6514FC5CD2F0F4D1C2BB3252DAF010BFDF430EFAA9BA12440EAA167876

Scoring (25.0)
Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.

Forensic Cluster
0.0s C:\ProgramData\Package Cache\{dda6f161-ee24-46c4-9ebb-45abd7cf0eb7}\
* C:\ProgramData\Package Cache\{dda6f161-ee24-46c4-9ebb-45abd7cf0eb7}\CryptoProviderInstaller.exe
0.0s C:\ProgramData\Package Cache\{dda6f161-ee24-46c4-9ebb-45abd7cf0eb7}\state.rsm
0.1s C:\ProgramData\Package Cache\{0649522E-E54B-4327-912F-565F6E9F68A5}v1.7.100.35600\
0.1s C:\ProgramData\Package Cache\{0D5A66BD-061E-4A5C-BD03-CF30EA2C86E9}v1.0.0\
1.9s C:\Users\redacted\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\991F383F0AD298067B7400BAFF5D2AF4_DD342D5E9110BA8C06D2C7064C87A62E
2.0s C:\Users\redacted\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\991F383F0AD298067B7400BAFF5D2AF4_DD342D5E9110BA8C06D2C7064C87A62E

Everything on my PC is legal.

 

[Winter Soldier]

Hello

From what I can interpret HA report it is possible that the file is not malicious.
Any malicious indicators in the report show features that may be linked to malware, but this does not mean absolute certainty that it is a malicious file.

Precisely:

"Error validating certificate: No signature was present in the subject. (0x800b0100)"

This error tells me that either there is no signature on the manifest file or the signature is corrupt. This can occur for a number of reasons such as the downloaded package are corrupt.
But it does not necessarily mean that the file is malicious.

Very important is to analyze any contacted domains and in our case, the first two ones:

- ocsp.intel.com

The Online Certificate Status Protocol (OCSP) is a protocol that allows you to check the validity of a certificate.

- pki.intel.com

Public key infrastructure (PKI)

are related to Intel

And this:

- trust.quovadisglobal.com

QuoVadis Trust is a provider of digital certificate services for enterprises and governments.

QuoVadis Group

So It seems to contact not malcious domains.

Virustotal report is not a reliable indicator in malware analysis context because, obviously, it provides an automated response according to antivirus analysis and related false positives.

Just my opinion

 

[Brian Mahan]

I also just encountered this file while installing Sticky Password Premium. It was quarantined by EmsiSoft Internet Security as a 'dangerous' program. Do you happen to have Sticky Password also? Or, is this file coming from multiple sources? My download of Sticky Password did hang in the middle for a bit before completing. Could that have corrupted something?

Thanks.

 

[Winter Soldier]

I also just encountered this file while installing Sticky Password Premium. It was quarantined by EmsiSoft Internet Security as a 'dangerous' program. Do you happen to have Sticky Password also? Or, is this file coming from multiple sources? My download of Sticky Password did hang in the middle for a bit before completing. Could that have corrupted something?

Thanks.

Intel recent CPUs include the ability for running software to create and use secure "enclaves" that are safe from attacks coming from the operating system itself. It is a security layer in the chip that cryptographically protects regions of operating system memory.

Some software like password manager, use encryption, and when they need to perform an operation that relies on functions or data in the enclave, they make the request to Intel Crypto Provider, talking directly to the chip which will then perform the operation in the encrypted enclave.

All of these operations could be flagged by some AVs that identify the object file as malicious.

 

[soccer97]

I also just encountered this file while installing Sticky Password Premium. It was quarantined by EmsiSoft Internet Security as a 'dangerous' program. Do you happen to have Sticky Password also? Or, is this file coming from multiple sources? My download of Sticky Password did hang in the middle for a bit before completing. Could that have corrupted something?

Thanks.

Yep I do, and I am guessing that it was the component (SGX) that @Winter Soldier mentioned.

It would be helpful if you reported it to vendor through regular support ticket.

 

[soccer97]

Hello

From what I can interpret HA report it is possible that the file is not malicious.
Any malicious indicators in the report show features that may be linked to malware, but this does not mean absolute certainty that it is a malicious file.

Precisely:

"Error validating certificate: No signature was present in the subject. (0x800b0100)"

This error tells me that either there is no signature on the manifest file or the signature is corrupt. This can occur for a number of reasons such as the downloaded package are corrupt.
But it does not necessarily mean that the file is malicious.

Very important is to analyze any contacted domains and in our case, the first two ones:

- ocsp.intel.com

The Online Certificate Status Protocol (OCSP) is a protocol that allows you to check the validity of a certificate.

- pki.intel.com

Public key infrastructure (PKI)

are related to Intel

And this:

- trust.quovadisglobal.com

QuoVadis Trust is a provider of digital certificate services for enterprises and governments.

QuoVadis Group

So It seems to contact not malcious domains.

Virustotal report is not a reliable indicator in malware analysis context because, obviously, it provides an automated response according to antivirus analysis and related false positives.

Just my opinion

This was very thorough, educational and reassuring. I really appreciate the time you spent explaining in/breaking it down for both me and the community.

Seriously. It also helps to interpret future reports.

Thank You!

 

[Winter Soldier]

This was very thorough, educational and reassuring. I really appreciate the time you spent explaining in/breaking it down for both me and the community.

Seriously. It also helps to interpret future reports.

Thank You!

Thanks for the kind words, really appreciated, I often work with this stuff because of professional reasons