File name:

TrueCrypt Setup 7.1a.exe

Full analysis: https://app.any.run/tasks/6e5b62e6-2893-40ac-8e9a-080c07d40af9
Verdict: Malicious activity
Analysis date: November 22, 2023, 11:00:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7A23AC83A0856C352025A6F7C9CC1526

SHA1:

7689D038C76BD1DF695D295C026961E50E4A62EA

SHA256:

E95ECA399DFE95500C4DE569EFC4CC77B75E2B66A864D467DF37733EC06A0FF2

SSDEEP:

98304:it8sYEHsONuSMaHbCJUv9akFWLJxk4LCt8OOARIYSJbVMQ7NN6kX0M8FWxVW2gSZ:YZajve

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • TrueCrypt Setup 7.1a.exe (PID: 3608)

    • Drops the executable file immediately after the start

      • TrueCrypt Setup 7.1a.exe (PID: 3608)

  • SUSPICIOUS

    • Searches for installed software

      • TrueCrypt Setup 7.1a.exe (PID: 3608)
      • dllhost.exe (PID: 3916)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3556)

    • Creates files in the driver directory

      • TrueCrypt Setup 7.1a.exe (PID: 3608)

    • Drops a system driver (possible attempt to evade defenses)

      • TrueCrypt Setup 7.1a.exe (PID: 3608)

  • INFO

    • Reads the machine GUID from the registry

      • TrueCrypt Setup 7.1a.exe (PID: 3608)
      • wmpnscfg.exe (PID: 3436)
      • TrueCrypt Format.exe (PID: 1376)

    • Reads the computer name

      • TrueCrypt Setup 7.1a.exe (PID: 3608)
      • wmpnscfg.exe (PID: 3436)
      • TrueCrypt Format.exe (PID: 1376)

    • Checks supported languages

      • TrueCrypt Setup 7.1a.exe (PID: 3608)
      • TrueCrypt.exe (PID: 3820)
      • TrueCrypt Format.exe (PID: 1376)
      • wmpnscfg.exe (PID: 3436)

    • Creates files in the program directory

      • TrueCrypt Setup 7.1a.exe (PID: 3608)

    • Manual execution by a user

      • TrueCrypt.exe (PID: 3820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:07 10:09:48+01:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 265216
InitializedDataSize: 792576
UninitializedDataSize: -
EntryPoint: 0x28653
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 7.1.1.0
ProductVersionNumber: 7.1.1.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: TrueCrypt Foundation
FileDescription: TrueCrypt Setup
FileVersion: 7.1a
LegalTrademarks: TrueCrypt
OriginalFileName: TrueCrypt Setup.exe
ProductName: TrueCrypt
ProductVersion: 7.1a
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start truecrypt setup 7.1a.exe vssvc.exe no specs SPPSurrogate no specs truecrypt.exe no specs truecrypt format.exe no specs truecrypt setup 7.1a.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1376"C:\Program Files\TrueCrypt\TrueCrypt Format.exe"C:\Program Files\TrueCrypt\TrueCrypt Format.exeTrueCrypt.exe
User:
admin
Company:
TrueCrypt Foundation
Integrity Level:
MEDIUM
Description:
TrueCrypt Format
Exit code:
0
Version:
7.1a
Modules
Images
c:\program files\truecrypt\truecrypt format.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3220"C:\Users\admin\AppData\Local\Temp\TrueCrypt Setup 7.1a.exe" C:\Users\admin\AppData\Local\Temp\TrueCrypt Setup 7.1a.exeexplorer.exe
User:
admin
Company:
TrueCrypt Foundation
Integrity Level:
MEDIUM
Description:
TrueCrypt Setup
Exit code:
3221226540
Version:
7.1a
Modules
Images
c:\users\admin\appdata\local\temp\truecrypt setup 7.1a.exe
c:\windows\system32\ntdll.dll
3436"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3556C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3608"C:\Users\admin\AppData\Local\Temp\TrueCrypt Setup 7.1a.exe" C:\Users\admin\AppData\Local\Temp\TrueCrypt Setup 7.1a.exe
explorer.exe
User:
admin
Company:
TrueCrypt Foundation
Integrity Level:
HIGH
Description:
TrueCrypt Setup
Exit code:
0
Version:
7.1a
Modules
Images
c:\users\admin\appdata\local\temp\truecrypt setup 7.1a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3820"C:\Program Files\TrueCrypt\TrueCrypt.exe" C:\Program Files\TrueCrypt\TrueCrypt.exeexplorer.exe
User:
admin
Company:
TrueCrypt Foundation
Integrity Level:
MEDIUM
Description:
TrueCrypt
Exit code:
0
Version:
7.1a
Modules
Images
c:\program files\truecrypt\truecrypt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3916C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
2 103
Read events
2 067
Write events
33
Delete events
3

Modification events

(PID) Process:(3436) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{8A594518-4BFB-4833-905D-FCEDBE311821}\{CE79A37A-99F7-4BA7-A709-0EF391F5C037}
Operation:delete keyName:(default)
Value:
(PID) Process:(3436) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{8A594518-4BFB-4833-905D-FCEDBE311821}
Operation:delete keyName:(default)
Value:
(PID) Process:(3436) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{84898FAF-7BBC-4CA6-9771-9DECC7061280}
Operation:delete keyName:(default)
Value:
(PID) Process:(3608) TrueCrypt Setup 7.1a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000F2B487BA16B0D901C80700002C0A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3608) TrueCrypt Setup 7.1a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4000000000000000F2B487BA16B0D901C80700002C0A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3608) TrueCrypt Setup 7.1a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
72
(PID) Process:(3608) TrueCrypt Setup 7.1a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
40000000000000008C62D6BA16B0D901C80700002C0A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3608) TrueCrypt Setup 7.1a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Leave)
Value:
400000000000000064514ABC16B0D901C80700002C0A0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3608) TrueCrypt Setup 7.1a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Leave)
Value:
4000000000000000781D5ABD16B0D901C80700002C0A0000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3608) TrueCrypt Setup 7.1a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Leave)
Value:
4000000000000000781D5ABD16B0D901C80700002C0A0000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
Executable files
6
Suspicious files
6
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3916dllhost.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3608TrueCrypt Setup 7.1a.exeC:\Program Files\TrueCrypt\truecrypt.sysexecutable
MD5:ED5E4CE36C54F55E7698642E94D32EC7
SHA256:07BD324083D1784F8F716C528D530003369E6D87EFC7B79BCAA1767F80DA4FDC
3608TrueCrypt Setup 7.1a.exeC:\Windows\system32\Drivers\truecrypt.sysexecutable
MD5:ED5E4CE36C54F55E7698642E94D32EC7
SHA256:07BD324083D1784F8F716C528D530003369E6D87EFC7B79BCAA1767F80DA4FDC
3608TrueCrypt Setup 7.1a.exeC:\Program Files\TrueCrypt\truecrypt-x64.sysexecutable
MD5:370A6907DDF79532A39319492B1FA38A
SHA256:46AECC5160F04FC3FFE4D37B404CCBBD1C5DC1501C2CEEE8284FF544DBDF10F8
3608TrueCrypt Setup 7.1a.exeC:\Program Files\TrueCrypt\TrueCrypt.exeexecutable
MD5:FA8F08013422A4EB68072668B3A73293
SHA256:7F4E7AC770928E9D313B7E91DB4B904A98F3D8BBAC3E0B88FBCA9EF15DD6ED71
3608TrueCrypt Setup 7.1a.exeC:\Program Files\TrueCrypt\TrueCrypt Format.exeexecutable
MD5:48538C19ABE905D22E147B1C25D90880
SHA256:4E32F3D2AECBBB202E13738F5465E83BB5F21B05E587D7BBE811C8019116BB77
3608TrueCrypt Setup 7.1a.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\TrueCrypt\TrueCrypt Website.urltext
MD5:9CDA3A91CF04824781BBEBF415FE5211
SHA256:8CE38040F962B921742AB9C657E81E0AB8565C5DDE26B0D4C709E92FB0ADA057
3608TrueCrypt Setup 7.1a.exeC:\Program Files\TrueCrypt\TrueCrypt Setup.exeexecutable
MD5:7A23AC83A0856C352025A6F7C9CC1526
SHA256:E95ECA399DFE95500C4DE569EFC4CC77B75E2B66A864D467DF37733EC06A0FF2
3608TrueCrypt Setup 7.1a.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\TrueCrypt\TrueCrypt.lnkbinary
MD5:226C45981E05382F258DDB390F231CCC
SHA256:B52C1C13943298B105EA9EC057C8DCF57031B927917E47EDB02A43E13991896A
3608TrueCrypt Setup 7.1a.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\TrueCrypt\Uninstall TrueCrypt.lnkbinary
MD5:B2BFBC54B5CB5B4764254E65EF3FE931
SHA256:117523F26CD4899B1AEF12862F92DA28E284E134D2DBD3A64F60C46EC56BF89A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TrueCrypt Setup 7.1a.exe