File name: | krreyo.msi |
Full analysis: | https://app.any.run/tasks/f321bd32-d0f3-4200-ad0c-f8dce28ce5eb |
Verdict: | Malicious activity |
Analysis date: | June 18, 2019, 21:22:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1251, Title: Installation Database, Subject: Microsoft.NET, Author: user, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft.NET., Template: Intel;1049, Revision Number: {9C4E4ED1-5BE4-460D-A942-793EDD7912E0}, Create Time/Date: Thu Jun 13 10:30:40 2019, Last Saved Time/Date: Thu Jun 13 10:30:40 2019, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1528), Security: 2 |
MD5: | C2A35E7C5CD6885078F306AE25424148 |
SHA1: | 38D4B8FD89219DCCD70963F6474A56EF8926650E |
SHA256: | 501B36D805BCB6C9B89E406646831520D984BAFA7DE1788076277A749C9F9C54 |
SSDEEP: | 49152:Bk+KzQLwgTJ2Y5WqOjU9Lk47yav41lCVhoenXSl/5O6mi1q8hPXWceys:BJPVF2Y5WqOjkY4VQKLXSnphPGt |
.msi | | | Microsoft Windows Installer (98.5) |
---|---|---|
.msi | | | Microsoft Installer (100) |
CodePage: | Windows Cyrillic |
---|---|
Title: | Installation Database |
Subject: | Microsoft.NET |
Author: | user |
Keywords: | Installer |
Comments: | This installer database contains the logic and data required to install Microsoft.NET. |
Template: | Intel;1049 |
RevisionNumber: | {9C4E4ED1-5BE4-460D-A942-793EDD7912E0} |
CreateDate: | 2019:06:13 09:30:40 |
ModifyDate: | 2019:06:13 09:30:40 |
Pages: | 200 |
Words: | 10 |
Software: | Windows Installer XML Toolset (3.11.0.1528) |
Security: | Read-only recommended |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3396 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\krreyo.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3524 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2696 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1820 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000560" "000004C0" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3364 | C:\Windows\system32\MsiExec.exe -Embedding B6B2B15181DFC2860E17744EDB18DCC1 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
868 | "cmd" /c "cd "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\"&z -o -P arima msi.zip" | C:\Windows\system32\cmd.exe | — | MsiExec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2364 | z -o -P arima msi.zip | C:\Users\admin\AppData\Local\Temp\ImagingEngine.dll\z.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
344 | "cmd" /v:on /c "set Tlder=rundll32&set Dlsrt=%random%&mkdir "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\!Dlsrt!"&cd "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\!Dlsrt!\"&move /y "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\*.*" "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\!Dlsrt!"\&!Tlder! ic64.dll,Entry u" | C:\Windows\system32\cmd.exe | MsiExec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 3221225477 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2128 | rundll32 ic64.dll,Entry u | C:\Windows\system32\rundll32.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3596 | "C:\Windows\System32\taskkill.exe" /IM msiexec.exe /F | C:\Windows\System32\taskkill.exe | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3524 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
3524 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:6A9AE059A5EC008B5D69C5EE1B482D53 | SHA256:E9D7D86986367A837058AE588A9E1F233C9F87CCC67BF4E36675BED87F7AA40B | |||
3524 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{85a4bfa6-0a17-453c-8be3-6270c1801019}_OnDiskSnapshotProp | binary | |
MD5:6A9AE059A5EC008B5D69C5EE1B482D53 | SHA256:E9D7D86986367A837058AE588A9E1F233C9F87CCC67BF4E36675BED87F7AA40B | |||
1820 | DrvInst.exe | C:\Windows\INF\setupapi.ev1 | binary | |
MD5:DC9206C36C10CFA35E68AB999FA90A53 | SHA256:9D7B201CCE9ADEBF5FA708006AD863189F9361D947FCB97505AC1808552F6BCB | |||
1820 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:76DCC60F78B3DFF1AE3627619074F465 | SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0 | |||
1820 | DrvInst.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:A59535288E47116DB3D5927C72741610 | SHA256:23972454873FDE481D1D243EC8C84808BF3636C993D4BABD78AC1DF4782A84AA | |||
3524 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF37E93FB7179880F9.TMP | — | |
MD5:— | SHA256:— | |||
2364 | z.exe | C:\Users\admin\AppData\Local\Temp\ImagingEngine.dll\bin.dat | — | |
MD5:— | SHA256:— | |||
2364 | z.exe | C:\Users\admin\AppData\Local\Temp\ImagingEngine.dll\ic64.dll | — | |
MD5:— | SHA256:— | |||
2696 | vssvc.exe | C: | — | |
MD5:— | SHA256:— |
Process | Message |
---|---|
rundll32.exe | G.1 |
rundll32.exe | ???t |
rundll32.exe | ???t |
rundll32.exe | G.3 |
rundll32.exe | G.4 |
rundll32.exe | |
rundll32.exe | G.6 |
rundll32.exe | |
rundll32.exe |