File name:

TrueCrypt Setup 7.1a.exe

Full analysis: https://app.any.run/tasks/6e5b62e6-2893-40ac-8e9a-080c07d40af9
Verdict: Malicious activity
Analysis date: November 22, 2023, 11:00:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7A23AC83A0856C352025A6F7C9CC1526

SHA1:

7689D038C76BD1DF695D295C026961E50E4A62EA

SHA256:

E95ECA399DFE95500C4DE569EFC4CC77B75E2B66A864D467DF37733EC06A0FF2

SSDEEP:

98304:it8sYEHsONuSMaHbCJUv9akFWLJxk4LCt8OOARIYSJbVMQ7NN6kX0M8FWxVW2gSZ:YZajve

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • TrueCrypt Setup 7.1a.exe (PID: 3608)

    • Drops the executable file immediately after the start

      • TrueCrypt Setup 7.1a.exe (PID: 3608)

  • SUSPICIOUS

    • Searches for installed software

      • TrueCrypt Setup 7.1a.exe (PID: 3608)
      • dllhost.exe (PID: 3916)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3556)

    • Creates files in the driver directory

      • TrueCrypt Setup 7.1a.exe (PID: 3608)

    • Drops a system driver (possible attempt to evade defenses)

      • TrueCrypt Setup 7.1a.exe (PID: 3608)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 3436)
      • TrueCrypt Setup 7.1a.exe (PID: 3608)
      • TrueCrypt Format.exe (PID: 1376)

    • Checks supported languages

      • wmpnscfg.exe (PID: 3436)
      • TrueCrypt Setup 7.1a.exe (PID: 3608)
      • TrueCrypt Format.exe (PID: 1376)
      • TrueCrypt.exe (PID: 3820)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3436)
      • TrueCrypt Setup 7.1a.exe (PID: 3608)
      • TrueCrypt Format.exe (PID: 1376)

    • Creates files in the program directory

      • TrueCrypt Setup 7.1a.exe (PID: 3608)

    • Manual execution by a user

      • TrueCrypt.exe (PID: 3820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:07 10:09:48+01:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 265216
InitializedDataSize: 792576
UninitializedDataSize: -
EntryPoint: 0x28653
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 7.1.1.0
ProductVersionNumber: 7.1.1.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: TrueCrypt Foundation
FileDescription: TrueCrypt Setup
FileVersion: 7.1a
LegalTrademarks: TrueCrypt
OriginalFileName: TrueCrypt Setup.exe
ProductName: TrueCrypt
ProductVersion: 7.1a
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start truecrypt setup 7.1a.exe vssvc.exe no specs SPPSurrogate no specs truecrypt.exe no specs truecrypt format.exe no specs truecrypt setup 7.1a.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1376"C:\Program Files\TrueCrypt\TrueCrypt Format.exe"C:\Program Files\TrueCrypt\TrueCrypt Format.exeTrueCrypt.exe
User:
admin
Company:
TrueCrypt Foundation
Integrity Level:
MEDIUM
Description:
TrueCrypt Format
Exit code:
0
Version:
7.1a
Modules
Images
c:\program files\truecrypt\truecrypt format.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3220"C:\Users\admin\AppData\Local\Temp\TrueCrypt Setup 7.1a.exe" C:\Users\admin\AppData\Local\Temp\TrueCrypt Setup 7.1a.exeexplorer.exe
User:
admin
Company:
TrueCrypt Foundation
Integrity Level:
MEDIUM
Description:
TrueCrypt Setup
Exit code:
3221226540
Version:
7.1a
Modules
Images
c:\users\admin\appdata\local\temp\truecrypt setup 7.1a.exe
c:\windows\system32\ntdll.dll
3436"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3556C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3608"C:\Users\admin\AppData\Local\Temp\TrueCrypt Setup 7.1a.exe" C:\Users\admin\AppData\Local\Temp\TrueCrypt Setup 7.1a.exe
explorer.exe
User:
admin
Company:
TrueCrypt Foundation
Integrity Level:
HIGH
Description:
TrueCrypt Setup
Exit code:
0
Version:
7.1a
Modules
Images
c:\users\admin\appdata\local\temp\truecrypt setup 7.1a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3820"C:\Program Files\TrueCrypt\TrueCrypt.exe" C:\Program Files\TrueCrypt\TrueCrypt.exeexplorer.exe
User:
admin
Company:
TrueCrypt Foundation
Integrity Level:
MEDIUM
Description:
TrueCrypt
Exit code:
0
Version:
7.1a
Modules
Images
c:\program files\truecrypt\truecrypt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3916C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
2 103
Read events
2 067
Write events
33
Delete events
3

Modification events

(PID) Process:(3436) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{8A594518-4BFB-4833-905D-FCEDBE311821}\{CE79A37A-99F7-4BA7-A709-0EF391F5C037}
Operation:delete keyName:(default)
Value:
(PID) Process:(3436) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{8A594518-4BFB-4833-905D-FCEDBE311821}
Operation:delete keyName:(default)
Value:
(PID) Process:(3436) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{84898FAF-7BBC-4CA6-9771-9DECC7061280}
Operation:delete keyName:(default)
Value:
(PID) Process:(3608) TrueCrypt Setup 7.1a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000F2B487BA16B0D901C80700002C0A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3608) TrueCrypt Setup 7.1a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4000000000000000F2B487BA16B0D901C80700002C0A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3608) TrueCrypt Setup 7.1a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
72
(PID) Process:(3608) TrueCrypt Setup 7.1a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
40000000000000008C62D6BA16B0D901C80700002C0A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3608) TrueCrypt Setup 7.1a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Leave)
Value:
400000000000000064514ABC16B0D901C80700002C0A0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3608) TrueCrypt Setup 7.1a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Leave)
Value:
4000000000000000781D5ABD16B0D901C80700002C0A0000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3608) TrueCrypt Setup 7.1a.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Leave)
Value:
4000000000000000781D5ABD16B0D901C80700002C0A0000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
Executable files
6
Suspicious files
6
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3916dllhost.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3608TrueCrypt Setup 7.1a.exeC:\Program Files\TrueCrypt\truecrypt.sysexecutable
MD5:ED5E4CE36C54F55E7698642E94D32EC7
SHA256:07BD324083D1784F8F716C528D530003369E6D87EFC7B79BCAA1767F80DA4FDC
3608TrueCrypt Setup 7.1a.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\TrueCrypt\TrueCrypt.lnkbinary
MD5:226C45981E05382F258DDB390F231CCC
SHA256:B52C1C13943298B105EA9EC057C8DCF57031B927917E47EDB02A43E13991896A
3608TrueCrypt Setup 7.1a.exeC:\Windows\system32\Drivers\truecrypt.sysexecutable
MD5:ED5E4CE36C54F55E7698642E94D32EC7
SHA256:07BD324083D1784F8F716C528D530003369E6D87EFC7B79BCAA1767F80DA4FDC
3608TrueCrypt Setup 7.1a.exeC:\Program Files\TrueCrypt\truecrypt-x64.sysexecutable
MD5:370A6907DDF79532A39319492B1FA38A
SHA256:46AECC5160F04FC3FFE4D37B404CCBBD1C5DC1501C2CEEE8284FF544DBDF10F8
3916dllhost.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:2D045AB8D9DF20A43D41D462F992821D
SHA256:4A75BB1CB294E4FD84C7DCF2C8218E3EBA873187FDB6F168474333065624D80E
3916dllhost.exeC:\System Volume Information\SPP\OnlineMetadataCache\{e31e2441-5031-4d63-994f-01c8b4bd5eb9}_OnDiskSnapshotPropbinary
MD5:2D045AB8D9DF20A43D41D462F992821D
SHA256:4A75BB1CB294E4FD84C7DCF2C8218E3EBA873187FDB6F168474333065624D80E
3608TrueCrypt Setup 7.1a.exeC:\Program Files\TrueCrypt\TrueCrypt User Guide.pdfpdf
MD5:60B1EA96C0DCB7238DA39844F0C11910
SHA256:739D7A00489395F516239A506F2E0B614052401CD9F692B4F8CDE0CBF55B3C0A
3608TrueCrypt Setup 7.1a.exeC:\Program Files\TrueCrypt\TrueCrypt Setup.exeexecutable
MD5:7A23AC83A0856C352025A6F7C9CC1526
SHA256:E95ECA399DFE95500C4DE569EFC4CC77B75E2B66A864D467DF37733EC06A0FF2
3608TrueCrypt Setup 7.1a.exeC:\Users\Public\Desktop\TrueCrypt.lnkbinary
MD5:D4C6BECFD54467D040D7D4018B945710
SHA256:8D89289EA8A13AB3380D3EDE4DD5F0F4B2E42C28CE9A68F67DC1DC880DF25318
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TrueCrypt Setup 7.1a.exe