analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

krreyo.msi

Full analysis: https://app.any.run/tasks/f321bd32-d0f3-4200-ad0c-f8dce28ce5eb
Verdict: Malicious activity
Analysis date: June 18, 2019, 21:22:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1251, Title: Installation Database, Subject: Microsoft.NET, Author: user, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft.NET., Template: Intel;1049, Revision Number: {9C4E4ED1-5BE4-460D-A942-793EDD7912E0}, Create Time/Date: Thu Jun 13 10:30:40 2019, Last Saved Time/Date: Thu Jun 13 10:30:40 2019, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1528), Security: 2
MD5:

C2A35E7C5CD6885078F306AE25424148

SHA1:

38D4B8FD89219DCCD70963F6474A56EF8926650E

SHA256:

501B36D805BCB6C9B89E406646831520D984BAFA7DE1788076277A749C9F9C54

SSDEEP:

49152:Bk+KzQLwgTJ2Y5WqOjU9Lk47yav41lCVhoenXSl/5O6mi1q8hPXWceys:BJPVF2Y5WqOjkY4VQKLXSnphPGt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2128)
      • WerFault.exe (PID: 2492)
    • Application was dropped or rewritten from another process

      • z.exe (PID: 2364)
  • SUSPICIOUS

    • Executed via COM

      • DrvInst.exe (PID: 1820)
    • Executed as Windows Service

      • vssvc.exe (PID: 2696)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3524)
      • cmd.exe (PID: 344)
    • Starts CMD.EXE for commands execution

      • MsiExec.exe (PID: 3364)
    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 344)
    • Uses TASKKILL.EXE to kill process

      • rundll32.exe (PID: 2128)
  • INFO

    • Application launched itself

      • msiexec.exe (PID: 3524)
    • Searches for installed software

      • msiexec.exe (PID: 3524)
    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2696)
    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 1820)
    • Changes settings of System certificates

      • DrvInst.exe (PID: 1820)
    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3364)
    • Application was crashed

      • rundll32.exe (PID: 2128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Cyrillic
Title: Installation Database
Subject: Microsoft.NET
Author: user
Keywords: Installer
Comments: This installer database contains the logic and data required to install Microsoft.NET.
Template: Intel;1049
RevisionNumber: {9C4E4ED1-5BE4-460D-A942-793EDD7912E0}
CreateDate: 2019:06:13 09:30:40
ModifyDate: 2019:06:13 09:30:40
Pages: 200
Words: 10
Software: Windows Installer XML Toolset (3.11.0.1528)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
11
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msiexec.exe no specs cmd.exe no specs z.exe no specs cmd.exe rundll32.exe taskkill.exe no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3396"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\krreyo.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3524C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2696C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1820DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000560" "000004C0"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3364C:\Windows\system32\MsiExec.exe -Embedding B6B2B15181DFC2860E17744EDB18DCC1C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
868"cmd" /c "cd "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\"&z -o -P arima msi.zip"C:\Windows\system32\cmd.exeMsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2364z -o -P arima msi.zipC:\Users\admin\AppData\Local\Temp\ImagingEngine.dll\z.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
344"cmd" /v:on /c "set Tlder=rundll32&set Dlsrt=%random%&mkdir "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\!Dlsrt!"&cd "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\!Dlsrt!\"&move /y "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\*.*" "C:\Users\admin\AppData\Local\Temp\\ImagingEngine.dll\!Dlsrt!"\&!Tlder! ic64.dll,Entry u"C:\Windows\system32\cmd.exe
MsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225477
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2128rundll32 ic64.dll,Entry uC:\Windows\system32\rundll32.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3596"C:\Windows\System32\taskkill.exe" /IM msiexec.exe /FC:\Windows\System32\taskkill.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
589
Read events
401
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
10
Text files
91
Unknown types
1

Dropped files

PID
Process
Filename
Type
3524msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3524msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:6A9AE059A5EC008B5D69C5EE1B482D53
SHA256:E9D7D86986367A837058AE588A9E1F233C9F87CCC67BF4E36675BED87F7AA40B
3524msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{85a4bfa6-0a17-453c-8be3-6270c1801019}_OnDiskSnapshotPropbinary
MD5:6A9AE059A5EC008B5D69C5EE1B482D53
SHA256:E9D7D86986367A837058AE588A9E1F233C9F87CCC67BF4E36675BED87F7AA40B
1820DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:DC9206C36C10CFA35E68AB999FA90A53
SHA256:9D7B201CCE9ADEBF5FA708006AD863189F9361D947FCB97505AC1808552F6BCB
1820DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:76DCC60F78B3DFF1AE3627619074F465
SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
1820DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:A59535288E47116DB3D5927C72741610
SHA256:23972454873FDE481D1D243EC8C84808BF3636C993D4BABD78AC1DF4782A84AA
3524msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF37E93FB7179880F9.TMP
MD5:
SHA256:
2364z.exeC:\Users\admin\AppData\Local\Temp\ImagingEngine.dll\bin.dat
MD5:
SHA256:
2364z.exeC:\Users\admin\AppData\Local\Temp\ImagingEngine.dll\ic64.dll
MD5:
SHA256:
2696vssvc.exeC:
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
rundll32.exe
G.1
rundll32.exe
???t
rundll32.exe
???t
rundll32.exe
G.3
rundll32.exe
G.4
rundll32.exe
rundll32.exe
G.6
rundll32.exe
rundll32.exe