analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ВАСЯ диагност 1.1.exe

Full analysis: https://app.any.run/tasks/6a40058c-a3a2-4bf6-b460-13c460686a02
Verdict: Malicious activity
Analysis date: August 12, 2022, 16:07:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

84EB8B45ADF54CD9F364C347421FCE75

SHA1:

84075EFFD993E3450BDB898ADC6943DFBDC87599

SHA256:

03A3EDB161597BDA64D7A734AF85F936D8961A7DB151CC14C9D72A482281593C

SSDEEP:

196608:QUHkek8H+/rRhBy9K88FR9O/fuFyj1R4Yqdt:9Hkekj/VhAy9O/fuchRqdt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • ВАСЯ диагност 1.1.exe (PID: 2632)
    • Drops executable file immediately after starts

      • ВАСЯ диагност 1.1.exe (PID: 2632)
      • ВАСЯ диагност 1.1.exe (PID: 472)
  • SUSPICIOUS

    • Checks supported languages

      • msiexec.exe (PID: 2808)
      • ВАСЯ диагност 1.1.exe (PID: 472)
      • ВАСЯ диагност 1.1.exe (PID: 2632)
      • MsiExec.exe (PID: 2340)
    • Reads the computer name

      • ВАСЯ диагност 1.1.exe (PID: 472)
      • ВАСЯ диагност 1.1.exe (PID: 2632)
      • msiexec.exe (PID: 2808)
      • MsiExec.exe (PID: 2340)
    • Reads Windows owner or organization settings

      • ВАСЯ диагност 1.1.exe (PID: 472)
    • Reads the Windows organization settings

      • ВАСЯ диагност 1.1.exe (PID: 472)
    • Application launched itself

      • ВАСЯ диагност 1.1.exe (PID: 2632)
    • Drops a file with a compile date too recent

      • ВАСЯ диагност 1.1.exe (PID: 2632)
      • ВАСЯ диагност 1.1.exe (PID: 472)
    • Executable content was dropped or overwritten

      • ВАСЯ диагност 1.1.exe (PID: 2632)
      • ВАСЯ диагност 1.1.exe (PID: 472)
    • Executed via COM

      • DllHost.exe (PID: 3412)
    • Creates a directory in Program Files

      • DllHost.exe (PID: 3412)
  • INFO

    • Application launched itself

      • msiexec.exe (PID: 2808)
    • Reads the computer name

      • DllHost.exe (PID: 3412)
      • explorer.exe (PID: 3980)
    • Manual execution by user

      • explorer.exe (PID: 3980)
    • Checks supported languages

      • explorer.exe (PID: 3980)
      • DllHost.exe (PID: 3412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:08:16 11:35:51+02:00
PEType: PE32
LinkerVersion: 9
CodeSize: 812544
InitializedDataSize: 382464
UninitializedDataSize: -
EntryPoint: 0x993d9
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.1.0.0
ProductVersionNumber: 1.1.0.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: Car2diag
FileDescription: Эта база данных содержит все необходимое для установки ВАСЯ диагност.
FileVersion: 1.1.0
InternalName: vd_1.1.0_setup
LegalCopyright: Copyright (C) Car2diag
OriginalFileName: vd_1.1.0_setup.exe
ProductName: ВАСЯ диагност
ProductVersion: 1.1.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Aug-2011 09:35:51
Detected languages:
  • English - United States
  • Russian - Russia
Debug artifacts:
  • D:\BranchAI\win\Release\stubs\x86u\ExternalUi.pdb
CompanyName: Car2diag
FileDescription: Эта база данных содержит все необходимое для установки ВАСЯ диагност.
FileVersion: 1.1.0
InternalName: vd_1.1.0_setup
LegalCopyright: Copyright (C) Car2diag
OriginalFileName: vd_1.1.0_setup.exe
ProductName: ВАСЯ диагност
ProductVersion: 1.1.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 16-Aug-2011 09:35:51
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000C653E
0x000C6600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.62726
.rdata
0x000C8000
0x00030CB2
0x00030E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.4147
.data
0x000F9000
0x00008EC4
0x00002E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.22785
.rsrc
0x00102000
0x000163BC
0x00016400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.53486
.reloc
0x00119000
0x00013574
0x00013600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5.12346

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.22953
845
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.08438
744
Latin 1 / Western European
Russian - Russia
RT_ICON
3
3.20315
488
Latin 1 / Western European
Russian - Russia
RT_ICON
4
3.08623
296
Latin 1 / Western European
Russian - Russia
RT_ICON
5
5.59298
3752
Latin 1 / Western European
Russian - Russia
RT_ICON
6
6.02092
2216
Latin 1 / Western European
Russian - Russia
RT_ICON
7
6.00379
1736
Latin 1 / Western European
Russian - Russia
RT_ICON
8
4.59129
1384
Latin 1 / Western European
Russian - Russia
RT_ICON
9
3.96518
1114
Latin 1 / Western European
Russian - Russia
RT_STRING
10
4.22341
2032
Latin 1 / Western European
Russian - Russia
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
MSIMG32.dll
NETAPI32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start вася диагност 1.1.exe вася диагност 1.1.exe msiexec.exe no specs msiexec.exe no specs Copy/Move/Rename/Delete/Link Object no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2632"C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe" C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe
Explorer.EXE
User:
admin
Company:
Car2diag
Integrity Level:
MEDIUM
Description:
Эта база данных содержит все необходимое для установки ВАСЯ диагност.
Exit code:
4294967295
Version:
1.1.0
472 /i "C:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\ВАСЯ.msi" AI_SETUPEXEPATH="C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe" SETUPEXEDIR="C:\Users\admin\AppData\Local\Temp\"C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe
ВАСЯ диагност 1.1.exe
User:
admin
Company:
Car2diag
Integrity Level:
MEDIUM
Description:
Эта база данных содержит все необходимое для установки ВАСЯ диагност.
Exit code:
1602
Version:
1.1.0
2808C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2340C:\Windows\system32\MsiExec.exe -Embedding 52A417DC8CE9463CA0DB811BF8C9205E CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3412C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3980"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
5 794
Read events
5 720
Write events
73
Delete events
1

Modification events

(PID) Process:(472) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(472) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
01000000020000000D0000000C000000000000000B00000007000000060000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(472) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0
Operation:writeName:MRUListEx
Value:
010000000000000002000000040000000500000003000000FFFFFFFF
(PID) Process:(472) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\35\Shell
Operation:writeName:SniffedFolderType
Value:
Generic
(PID) Process:(472) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(472) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1
Operation:writeName:9
Value:
4C003100000000000C5526811000766173696100380008000400EFBE0C5526810C5526812A0000004EE0000000000800000000000000000000000000000076006100730069006100000014000000
(PID) Process:(472) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1
Operation:writeName:MRUListEx
Value:
09000000080000000700000006000000050000000400000003000000010000000000000002000000FFFFFFFF
(PID) Process:(472) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(472) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\9
Operation:writeName:NodeSlot
Value:
186
(PID) Process:(472) ВАСЯ диагност 1.1.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\9
Operation:writeName:MRUListEx
Value:
FFFFFFFF
Executable files
25
Suspicious files
16
Text files
1 200
Unknown types
6

Dropped files

PID
Process
Filename
Type
2632ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Labels\LabelVer.txttext
MD5:1848E47B498F59C8ED4CFC4F1DAF454A
SHA256:B4AA1DCA3E768E547FF8E20D6E803E86855F0CF1A3AD16DB734E619FAF155FE1
2632ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Driver\i386\ftcserco.dllexecutable
MD5:C0FFD52B4E3A7C789D23B0DE3131027D
SHA256:555F9F4AADD979C90A98ECF6A9BDE68815DBC3D102C0D0F9451A195641C9BC45
2632ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Driver\i386\ftbusui.dllexecutable
MD5:7DF09F338A7EA78237C93D57090F9ACC
SHA256:13439DC467DE190E9334EEB9AB6810FAA6FF06457C3A10EC807343E820E29579
2632ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\vd.exeexecutable
MD5:E845FC9FD35FB60D9B7CD57E290BE0B1
SHA256:08AF36C7963B3D0DD349A0D8E599099C6A934118BCCD9342814459AFC6FBE858
2632ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\decoder.dllexecutable
MD5:49B60B1C3414C85D69DDF03FAD42A6B2
SHA256:511595CDEEF5C40093D66F532BA4C207AC343439AA82049162B18E6B5E293173
2632ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Driver\amd64\ftd2xx64.dllexecutable
MD5:04E2D6F40D388DD2324CF574A604B842
SHA256:27005B9ECBC9863A5BA9174BDB0A449B5868814FA1D21B2760C29345168D95FA
2632ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\vd.exe.manifestxml
MD5:26A7C7C71924B6EBE2201FF0A4E0E821
SHA256:3C3A3AC34E4EA4600C607C0CF28FE63054C38A34B8D5EC599A5321D2077BF873
2632ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Driver\CDM20814_Setup.exeexecutable
MD5:080C9F252D15D67540C7F82173D5A135
SHA256:35F4B0FB91145D56BDED0E71A2EAF8D713C3676971F79BC3A7201333D951DFB7
2632ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Driver\ftd2xx.htext
MD5:30C72676B95D747E80C54F096DD231BB
SHA256:90432B8FB114EF0AD4519588172C60D9ABFA477E4A68ABDE05A37E9052A6C338
2632ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Driver\amd64\ftcserco.dllexecutable
MD5:618E1CC7A703C3B4C412E36CB68FE05B
SHA256:F029FADEE7528B17AC3CDD45E1C96590781093BD541C7231A5992177B358B3CC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info