File name:

krreyo.oyl

Full analysis: https://app.any.run/tasks/516a7995-e9d6-4186-9fde-6e78b146e0a6
Verdict: Malicious activity
Analysis date: June 18, 2019, 20:56:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1251, Title: Installation Database, Subject: Microsoft.NET, Author: user, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft.NET., Template: Intel;1049, Revision Number: {9C4E4ED1-5BE4-460D-A942-793EDD7912E0}, Create Time/Date: Thu Jun 13 10:30:40 2019, Last Saved Time/Date: Thu Jun 13 10:30:40 2019, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1528), Security: 2
MD5:

C2A35E7C5CD6885078F306AE25424148

SHA1:

38D4B8FD89219DCCD70963F6474A56EF8926650E

SHA256:

501B36D805BCB6C9B89E406646831520D984BAFA7DE1788076277A749C9F9C54

SSDEEP:

49152:Bk+KzQLwgTJ2Y5WqOjU9Lk47yav41lCVhoenXSl/5O6mi1q8hPXWceys:BJPVF2Y5WqOjkY4VQKLXSnphPGt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • z.exe (PID: 2676)

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2624)

  • SUSPICIOUS

    • Executed as Windows Service

      • vssvc.exe (PID: 3232)

    • Executed via COM

      • DrvInst.exe (PID: 2588)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 368)
      • msiexec.exe (PID: 3068)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 368)

    • Uses TASKKILL.EXE to kill process

      • rundll32.exe (PID: 2624)

    • Starts CMD.EXE for commands execution

      • MsiExec.exe (PID: 2440)

  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3232)

    • Searches for installed software

      • msiexec.exe (PID: 3068)

    • Changes settings of System certificates

      • DrvInst.exe (PID: 2588)

    • Application launched itself

      • msiexec.exe (PID: 3068)

    • Application was crashed

      • rundll32.exe (PID: 2624)

    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 2588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Cyrillic
Title: Installation Database
Subject: Microsoft.NET
Author: user
Keywords: Installer
Comments: This installer database contains the logic and data required to install Microsoft.NET.
Template: Intel;1049
RevisionNumber: {9C4E4ED1-5BE4-460D-A942-793EDD7912E0}
CreateDate: 2019:06:13 09:30:40
ModifyDate: 2019:06:13 09:30:40
Pages: 200
Words: 10
Software: Windows Installer XML Toolset (3.11.0.1528)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
10
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msiexec.exe no specs cmd.exe no specs z.exe no specs cmd.exe rundll32.exe taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
368"cmd" /v:on /c "set Tlder=rundll32&set Dlsrt=%random%&mkdir "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\!Dlsrt!"&cd "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\!Dlsrt!\"&move /y "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\*.*" "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\!Dlsrt!"\&!Tlder! ic64.dll,Entry u"C:\Windows\system32\cmd.exe
MsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2440C:\Windows\system32\MsiExec.exe -Embedding D091D024DEA02E33AD2781FC27DF5C85C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2588DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000003A0" "000005BC"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2624rundll32 ic64.dll,Entry uC:\Windows\system32\rundll32.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2676z -o -P arima msi.zipC:\Users\admin\AppData\Local\Temp\ImagingEngine.dll\z.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\imagingengine.dll\z.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2692"cmd" /c "cd "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\"&z -o -P arima msi.zip"C:\Windows\system32\cmd.exeMsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2912"C:\Windows\System32\taskkill.exe" /IM msiexec.exe /FC:\Windows\System32\taskkill.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
3068C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3232C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3680"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\krreyo.oyl.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
557
Read events
369
Write events
176
Delete events
12

Modification events

(PID) Process:(3068) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000822FDA4A1826D501FC0B0000C00B0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3068) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4000000000000000822FDA4A1826D501FC0B0000C00B0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3068) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
20
(PID) Process:(3068) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
400000000000000046523E4B1826D501FC0B0000C00B0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3068) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000A0B4404B1826D501FC0B0000E00A0000E80300000100000000000000000000001B2B412F79787D4DAD19068215C8C3230000000000000000
(PID) Process:(3232) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000083E4A4B1826D501A00C0000F00E0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3232) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000083E4A4B1826D501A00C0000EC0E0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3232) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000083E4A4B1826D501A00C0000540B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3232) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000083E4A4B1826D501A00C0000480B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3232) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
40000000000000001665514B1826D501A00C0000F00E0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
Executable files
6
Suspicious files
9
Text files
84
Unknown types
0

Dropped files

PID
Process
Filename
Type
3068msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3068msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFE79FF8E330B32F7E.TMP
MD5:
SHA256:
2676z.exeC:\Users\admin\AppData\Local\Temp\ImagingEngine.dll\bin.dat
MD5:
SHA256:
2676z.exeC:\Users\admin\AppData\Local\Temp\ImagingEngine.dll\ic64.dll
MD5:
SHA256:
2588DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:
SHA256:
3068msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{2f412b1b-7879-4d7d-ad19-068215c8c323}_OnDiskSnapshotPropbinary
MD5:
SHA256:
3068msiexec.exeC:\Windows\Installer\MSI2832.tmpbinary
MD5:
SHA256:
3068msiexec.exeC:\Windows\Installer\152545.ipibinary
MD5:
SHA256:
3232vssvc.exeC:
MD5:
SHA256:
2624rundll32.exeC:\Users\admin\AppData\Local\Temp\ImagingEngine.dll\21096\ntdll.dll
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
rundll32.exe
G.1
rundll32.exe
???tᾮѿ尶周☘Ǖᾤѿ???t
rundll32.exe
???t
rundll32.exe
G.3
rundll32.exe
G.4
rundll32.exe
rundll32.exe
G.6
rundll32.exe
rundll32.exe
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
krreyo.oyl