analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | KInstall.exe.7z |
| Full analysis: | https://app.any.run/tasks/1049e191-1bd5-44ee-b2ab-526575579938 |
| Verdict: | Malicious activity |
| Analysis date: | March 01, 2024 at 18:31:39 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | 51D1217CE12D6C5CFAEBD48DC88176CD |
| SHA1: | B297ADA2BF5FD687312ECF57E20B3879560C6531 |
| SHA256: | B7EB20DCC834FD83352DA788AE532C1AEFE6A665F9A9FCB7A97D9907C625FCC8 |
| SSDEEP: | 98304:I07VK1cXLh8nHjBTRnFNft32kQue2HEp21f1XAfSEWaVKayNHa8M9Tg5ssagGOtc:ZKBEi4qKQkB4A0Cp6hGAgZ |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3240)
- KInstall.exe (PID: 3724)
- VC_redist.x64.exe (PID: 2724)
- VC_redist.x64.exe (PID: 2744)
Changes the autorun value in the registry
- KInstall.exe (PID: 3724)
SUSPICIOUS
Searches for installed software
- KInstall.exe (PID: 3724)
- VC_redist.x64.exe (PID: 2744)
Process drops legitimate windows executable
- KInstall.exe (PID: 3724)
- VC_redist.x64.exe (PID: 2724)
Executable content was dropped or overwritten
- KInstall.exe (PID: 3724)
- VC_redist.x64.exe (PID: 2724)
- VC_redist.x64.exe (PID: 2744)
Reads settings of System Certificates
- KInstall.exe (PID: 3724)
Reads security settings of Internet Explorer
- KInstall.exe (PID: 3724)
Checks Windows Trust Settings
- KInstall.exe (PID: 3724)
Reads the Internet Settings
- KInstall.exe (PID: 3724)
Starts a Microsoft application from unusual location
- VC_redist.x64.exe (PID: 2724)
- VC_redist.x64.exe (PID: 2744)
INFO
Reads the computer name
- KInstall.exe (PID: 3724)
- VC_redist.x64.exe (PID: 2744)
- wmpnscfg.exe (PID: 680)
Checks supported languages
- KInstall.exe (PID: 3724)
- VC_redist.x64.exe (PID: 2724)
- VC_redist.x64.exe (PID: 2744)
- wmpnscfg.exe (PID: 680)
Manual execution by a user
- KInstall.exe (PID: 3392)
- cmd.exe (PID: 2328)
- KInstall.exe (PID: 3724)
- wmpnscfg.exe (PID: 680)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3240)
Checks proxy server information
- KInstall.exe (PID: 3724)
Reads the machine GUID from the registry
- KInstall.exe (PID: 3724)
Create files in a temporary directory
- KInstall.exe (PID: 3724)
- VC_redist.x64.exe (PID: 2744)
Reads the software policy settings
- KInstall.exe (PID: 3724)
Creates files or folders in the user directory
- KInstall.exe (PID: 3724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
Total processes
51
Monitored processes
7
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3240 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\KInstall.exe.7z" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2328 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3392 | "C:\Users\admin\Desktop\KInstall.exe" | C:\Users\admin\Desktop\KInstall.exe | — | explorer.exe | |||||||||||
User: admin Company: Kaseya Integrity Level: MEDIUM Description: InstallScript Setup Launcher Exit code: 3221226540 Version: 9.5.18.1105 Modules
| |||||||||||||||
| 3724 | "C:\Users\admin\Desktop\KInstall.exe" | C:\Users\admin\Desktop\KInstall.exe | explorer.exe | ||||||||||||
User: admin Company: Kaseya Integrity Level: HIGH Description: InstallScript Setup Launcher Version: 9.5.18.1105 Modules
| |||||||||||||||
| 2724 | "C:\Users\admin\AppData\Local\Temp\{3EA929BC-5F26-4D4D-A7D1-20C698D84359}\{3F0609AB-9F5A-4252-869F-AFD6EF94631A}\VC_redist.x64.exe" /q /norestart | C:\Users\admin\AppData\Local\Temp\{3EA929BC-5F26-4D4D-A7D1-20C698D84359}\{3F0609AB-9F5A-4252-869F-AFD6EF94631A}\VC_redist.x64.exe | KInstall.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.29.30153 Exit code: 1 Version: 14.29.30153.0 Modules
| |||||||||||||||
| 2744 | "C:\Windows\Temp\{37E575A6-69C4-4A7A-818C-3D56E891A47F}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\{3EA929BC-5F26-4D4D-A7D1-20C698D84359}\{3F0609AB-9F5A-4252-869F-AFD6EF94631A}\VC_redist.x64.exe" -burn.filehandle.attached=152 -burn.filehandle.self=160 /q /norestart | C:\Windows\Temp\{37E575A6-69C4-4A7A-818C-3D56E891A47F}\.cr\VC_redist.x64.exe | VC_redist.x64.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.29.30153 Exit code: 1 Version: 14.29.30153.0 Modules
| |||||||||||||||
| 680 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
12 939
Read events
12 836
Write events
88
Delete events
15
Modification events
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\KInstall.exe.7z | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3240) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
23
Suspicious files
8
Text files
64
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3724 | KInstall.exe | C:\Users\admin\AppData\Local\Temp\{3EA929BC-5F26-4D4D-A7D1-20C698D84359}\Disk1\ISSetupPrerequisites\Microsoft .NET Framework 3.5 SP1.prq | xml | |
MD5:3303B85D71D9C3B959F960E88153C777 | SHA256:D471AA7CECBDB930273473BC04BBAD06A067BEC4EA87311E12C038ED12AC8BD2 | |||
| 3240 | WinRAR.exe | C:\Users\admin\Desktop\KInstall.exe | executable | |
MD5:9D3E2B28F372BD3D7DE66D924CDF244E | SHA256:1815249FE84E61F97145E260B8E95E3DB6F5AFF65C7989F8F807C0000F4C7FB3 | |||
| 3724 | KInstall.exe | C:\Users\admin\AppData\Local\Temp\{3EA929BC-5F26-4D4D-A7D1-20C698D84359}\Disk1\ISSetup.dll | executable | |
MD5:C5E7C495ED4644F46DEC884CDD2ACD54 | SHA256:DA30A9E6304C22FEB626E5FB41F44AED11AE3AD36D50676F97250C6A1DA6D052 | |||
| 3724 | KInstall.exe | C:\Users\admin\AppData\Local\Temp\{3EA929BC-5F26-4D4D-A7D1-20C698D84359}\Disk1\ISSetupPrerequisites\Windows Installer 3.1 for Windows XP (x64).prq | xml | |
MD5:A5C4EEA72107D2D02A2532CD9BFEC56A | SHA256:239D3EB29A16F42865C20219A33B03E59BB9B31CC58A2E47955147518402D824 | |||
| 3724 | KInstall.exe | C:\Users\admin\AppData\Local\Temp\{3EA929BC-5F26-4D4D-A7D1-20C698D84359}\Disk1\data1.cab | compressed | |
MD5:80FA14D9C02B2652D5D6E4F50C4BE971 | SHA256:53E6AAFDBB88B48C1299C5CBD2C83166C5CC4F39DDA9C8E6DF2BD28CA259468B | |||
| 3724 | KInstall.exe | C:\Users\admin\AppData\Local\Temp\{3EA929BC-5F26-4D4D-A7D1-20C698D84359}\Disk1\ISSetupPrerequisites\Windows Installer 3.1 for Windows Server 2003 SP1 (x64).prq | xml | |
MD5:37A2E348A23713DBD59585AB7202E71A | SHA256:47A85D193DB5944241442CE40F2F8C1A3BAC9FEC208DE7678D137BB595766301 | |||
| 3724 | KInstall.exe | C:\Users\admin\AppData\Local\Temp\{3EA929BC-5F26-4D4D-A7D1-20C698D84359}\Disk1\ISSetupPrerequisites\Microsoft Visual C++ 2019 Redistributable Package (x64).prq | xml | |
MD5:6032D6BC4CCF96C506530DA1F0DA320E | SHA256:C592A864EA5200035EEAB100D63E0AB4F9A3107FFDD01A8554377A8385FB38A7 | |||
| 3724 | KInstall.exe | C:\Users\admin\AppData\Local\Temp\{3EA929BC-5F26-4D4D-A7D1-20C698D84359}\Disk1\ISSetupPrerequisites\Microsoft Visual C++ 2019 Redistributable Package (x86).prq | xml | |
MD5:668AFF0BA02B718616F2E3F7B9062898 | SHA256:41ABB4A97C61F0D8B7846C1F40DACD0A695A670E800BFE9AB6B74E5BF75A6771 | |||
| 3724 | KInstall.exe | C:\Users\admin\AppData\Local\Temp\{3EA929BC-5F26-4D4D-A7D1-20C698D84359}\Disk1\0x0409.ini | text | |
MD5:BE345D0260AE12C5F2F337B17E07C217 | SHA256:E994689A13B9448C074F9B471EDEEC9B524890A0D82925E98AB90B658016D8F3 | |||
| 3724 | KInstall.exe | C:\Users\admin\AppData\Local\Temp\{3EA929BC-5F26-4D4D-A7D1-20C698D84359}\Disk1\data1.hdr | compressed | |
MD5:CA7A3545D566BB50B7C25EF58F95DC12 | SHA256:455819B659DC20A024723DF2DEB45B2B3F6A4E9A05DF99CD2AE034B15F0DE8E3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
4
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3724 | KInstall.exe | GET | 304 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?dc05e2f1193aa105 | unknown | — | — | — |
3724 | KInstall.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | binary | 471 b | — |
3724 | KInstall.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | binary | 471 b | — |
1080 | svchost.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?89bca2e7018c82c0 | unknown | compressed | 67.5 Kb | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | unknown |
3724 | KInstall.exe | 184.24.201.247:443 | aka.ms | AKAMAI-AS | IE | unknown |
3724 | KInstall.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | unknown |
3724 | KInstall.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | unknown |
3724 | KInstall.exe | 68.232.34.200:443 | download.visualstudio.microsoft.com | EDGECAST | US | unknown |
1080 | svchost.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
aka.ms |
| unknown |
ctldl.windowsupdate.com |
| unknown |
ocsp.digicert.com |
| unknown |
download.visualstudio.microsoft.com |
| unknown |