File name: | krreyo.oyl |
Full analysis: | https://app.any.run/tasks/516a7995-e9d6-4186-9fde-6e78b146e0a6 |
Verdict: | Malicious activity |
Analysis date: | June 18, 2019, 20:56:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1251, Title: Installation Database, Subject: Microsoft.NET, Author: user, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft.NET., Template: Intel;1049, Revision Number: {9C4E4ED1-5BE4-460D-A942-793EDD7912E0}, Create Time/Date: Thu Jun 13 10:30:40 2019, Last Saved Time/Date: Thu Jun 13 10:30:40 2019, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1528), Security: 2 |
MD5: | C2A35E7C5CD6885078F306AE25424148 |
SHA1: | 38D4B8FD89219DCCD70963F6474A56EF8926650E |
SHA256: | 501B36D805BCB6C9B89E406646831520D984BAFA7DE1788076277A749C9F9C54 |
SSDEEP: | 49152:Bk+KzQLwgTJ2Y5WqOjU9Lk47yav41lCVhoenXSl/5O6mi1q8hPXWceys:BJPVF2Y5WqOjkY4VQKLXSnphPGt |
.msi | | | Microsoft Windows Installer (98.5) |
---|---|---|
.msi | | | Microsoft Installer (100) |
CodePage: | Windows Cyrillic |
---|---|
Title: | Installation Database |
Subject: | Microsoft.NET |
Author: | user |
Keywords: | Installer |
Comments: | This installer database contains the logic and data required to install Microsoft.NET. |
Template: | Intel;1049 |
RevisionNumber: | {9C4E4ED1-5BE4-460D-A942-793EDD7912E0} |
CreateDate: | 2019:06:13 09:30:40 |
ModifyDate: | 2019:06:13 09:30:40 |
Pages: | 200 |
Words: | 10 |
Software: | Windows Installer XML Toolset (3.11.0.1528) |
Security: | Read-only recommended |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3680 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\krreyo.oyl.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3068 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3232 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2588 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000003A0" "000005BC" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2440 | C:\Windows\system32\MsiExec.exe -Embedding D091D024DEA02E33AD2781FC27DF5C85 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2692 | "cmd" /c "cd "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\"&z -o -P arima msi.zip" | C:\Windows\system32\cmd.exe | — | MsiExec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2676 | z -o -P arima msi.zip | C:\Users\admin\AppData\Local\Temp\ImagingEngine.dll\z.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
368 | "cmd" /v:on /c "set Tlder=rundll32&set Dlsrt=%random%&mkdir "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\!Dlsrt!"&cd "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\!Dlsrt!\"&move /y "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\*.*" "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\!Dlsrt!"\&!Tlder! ic64.dll,Entry u" | C:\Windows\system32\cmd.exe | MsiExec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2624 | rundll32 ic64.dll,Entry u | C:\Windows\system32\rundll32.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2912 | "C:\Windows\System32\taskkill.exe" /IM msiexec.exe /F | C:\Windows\System32\taskkill.exe | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3068 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
2588 | DrvInst.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:94179DCCC141D02BE27EAC7A6534714B | SHA256:CE03D042B26310C2B80F3E765A1D096760550FD912E2E239D368A03468F57304 | |||
2588 | DrvInst.exe | C:\Windows\INF\setupapi.ev1 | binary | |
MD5:1C26F49BBE97014C10069D6190D21115 | SHA256:FAA1929287189B011A77AB57586626DF4DF4582EF826971714231EBDFFF756D7 | |||
3068 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{2f412b1b-7879-4d7d-ad19-068215c8c323}_OnDiskSnapshotProp | binary | |
MD5:1AF883244A68CE20FBC9910191398295 | SHA256:66CB9006C4B551D8330DF09CE79308A65EE1093F9485A2DC3BD751F71E530F54 | |||
3068 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:1AF883244A68CE20FBC9910191398295 | SHA256:66CB9006C4B551D8330DF09CE79308A65EE1093F9485A2DC3BD751F71E530F54 | |||
2588 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:76DCC60F78B3DFF1AE3627619074F465 | SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0 | |||
3068 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFE79FF8E330B32F7E.TMP | — | |
MD5:— | SHA256:— | |||
2676 | z.exe | C:\Users\admin\AppData\Local\Temp\ImagingEngine.dll\bin.dat | — | |
MD5:— | SHA256:— | |||
2676 | z.exe | C:\Users\admin\AppData\Local\Temp\ImagingEngine.dll\ic64.dll | — | |
MD5:— | SHA256:— | |||
3232 | vssvc.exe | C: | — | |
MD5:— | SHA256:— |
Process | Message |
---|---|
rundll32.exe | G.1 |
rundll32.exe | ???tᾮѿ尶周☘Ǖᾤѿ???t |
rundll32.exe | ???t |
rundll32.exe | G.3 |
rundll32.exe | G.4 |
rundll32.exe | |
rundll32.exe | G.6 |
rundll32.exe | |
rundll32.exe |