analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ВАСЯ диагност 1.1.exe

Full analysis: https://app.any.run/tasks/818bea28-33b4-48eb-8e61-eb81c7cc57b2
Verdict: Malicious activity
Analysis date: August 12, 2022, 16:13:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

84EB8B45ADF54CD9F364C347421FCE75

SHA1:

84075EFFD993E3450BDB898ADC6943DFBDC87599

SHA256:

03A3EDB161597BDA64D7A734AF85F936D8961A7DB151CC14C9D72A482281593C

SSDEEP:

196608:QUHkek8H+/rRhBy9K88FR9O/fuFyj1R4Yqdt:9Hkekj/VhAy9O/fuchRqdt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • ВАСЯ диагност 1.1.exe (PID: 1976)

    • Drops executable file immediately after starts

      • ВАСЯ диагност 1.1.exe (PID: 1976)
      • ВАСЯ диагност 1.1.exe (PID: 4012)
      • msiexec.exe (PID: 3148)

    • Application was dropped or rewritten from another process

      • CDM20814_Setup.exe (PID: 3848)
      • CDM20814_Setup.exe (PID: 3052)

  • SUSPICIOUS

    • Reads the computer name

      • ВАСЯ диагност 1.1.exe (PID: 1976)
      • ВАСЯ диагност 1.1.exe (PID: 4012)
      • msiexec.exe (PID: 3148)
      • MsiExec.exe (PID: 740)
      • ВАСЯ диагност 1.1.exe (PID: 3404)
      • MsiExec.exe (PID: 900)
      • CDM20814_Setup.exe (PID: 3848)

    • Checks supported languages

      • msiexec.exe (PID: 3148)
      • ВАСЯ диагност 1.1.exe (PID: 1976)
      • MsiExec.exe (PID: 740)
      • ВАСЯ диагност 1.1.exe (PID: 4012)
      • ВАСЯ диагност 1.1.exe (PID: 3404)
      • MsiExec.exe (PID: 900)
      • CDM20814_Setup.exe (PID: 3848)

    • Application launched itself

      • ВАСЯ диагност 1.1.exe (PID: 1976)
      • ВАСЯ диагност 1.1.exe (PID: 4012)

    • Reads Windows owner or organization settings

      • ВАСЯ диагност 1.1.exe (PID: 4012)
      • msiexec.exe (PID: 3148)
      • ВАСЯ диагност 1.1.exe (PID: 3404)

    • Reads the Windows organization settings

      • ВАСЯ диагност 1.1.exe (PID: 4012)
      • ВАСЯ диагност 1.1.exe (PID: 3404)
      • msiexec.exe (PID: 3148)

    • Drops a file with a compile date too recent

      • ВАСЯ диагност 1.1.exe (PID: 1976)
      • ВАСЯ диагност 1.1.exe (PID: 4012)
      • msiexec.exe (PID: 3148)

    • Executable content was dropped or overwritten

      • ВАСЯ диагност 1.1.exe (PID: 1976)
      • ВАСЯ диагност 1.1.exe (PID: 4012)
      • msiexec.exe (PID: 3148)

    • Creates a directory in Program Files

      • msiexec.exe (PID: 3148)

  • INFO

    • Application launched itself

      • msiexec.exe (PID: 3148)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 740)
      • MsiExec.exe (PID: 900)

    • Checks Windows Trust Settings

      • ВАСЯ диагност 1.1.exe (PID: 3404)

    • Dropped object may contain Bitcoin addresses

      • msiexec.exe (PID: 3148)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3148)

    • Creates files in the program directory

      • msiexec.exe (PID: 3148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:08:16 11:35:51+02:00
PEType: PE32
LinkerVersion: 9
CodeSize: 812544
InitializedDataSize: 382464
UninitializedDataSize: -
EntryPoint: 0x993d9
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.1.0.0
ProductVersionNumber: 1.1.0.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Russian
CharacterSet: Unicode
CompanyName: Car2diag
FileDescription: Эта база данных содержит все необходимое для установки ВАСЯ диагност.
FileVersion: 1.1.0
InternalName: vd_1.1.0_setup
LegalCopyright: Copyright (C) Car2diag
OriginalFileName: vd_1.1.0_setup.exe
ProductName: ВАСЯ диагност
ProductVersion: 1.1.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Aug-2011 09:35:51
Detected languages:
  • English - United States
  • Russian - Russia
Debug artifacts:
  • D:\BranchAI\win\Release\stubs\x86u\ExternalUi.pdb
CompanyName: Car2diag
FileDescription: Эта база данных содержит все необходимое для установки ВАСЯ диагност.
FileVersion: 1.1.0
InternalName: vd_1.1.0_setup
LegalCopyright: Copyright (C) Car2diag
OriginalFileName: vd_1.1.0_setup.exe
ProductName: ВАСЯ диагност
ProductVersion: 1.1.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 16-Aug-2011 09:35:51
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000C653E
0x000C6600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.62726
.rdata
0x000C8000
0x00030CB2
0x00030E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.4147
.data
0x000F9000
0x00008EC4
0x00002E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.22785
.rsrc
0x00102000
0x000163BC
0x00016400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.53486
.reloc
0x00119000
0x00013574
0x00013600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5.12346

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.22953
845
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.08438
744
Latin 1 / Western European
Russian - Russia
RT_ICON
3
3.20315
488
Latin 1 / Western European
Russian - Russia
RT_ICON
4
3.08623
296
Latin 1 / Western European
Russian - Russia
RT_ICON
5
5.59298
3752
Latin 1 / Western European
Russian - Russia
RT_ICON
6
6.02092
2216
Latin 1 / Western European
Russian - Russia
RT_ICON
7
6.00379
1736
Latin 1 / Western European
Russian - Russia
RT_ICON
8
4.59129
1384
Latin 1 / Western European
Russian - Russia
RT_ICON
9
3.96518
1114
Latin 1 / Western European
Russian - Russia
RT_STRING
10
4.22341
2032
Latin 1 / Western European
Russian - Russia
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
MSIMG32.dll
NETAPI32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start вася диагност 1.1.exe вася диагност 1.1.exe msiexec.exe msiexec.exe no specs вася диагност 1.1.exe msiexec.exe no specs cdm20814_setup.exe no specs cdm20814_setup.exe

Process information

PID
CMD
Path
Indicators
Parent process
1976"C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe" C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe
Explorer.EXE
User:
admin
Company:
Car2diag
Integrity Level:
MEDIUM
Description:
Эта база данных содержит все необходимое для установки ВАСЯ диагност.
Exit code:
0
Version:
1.1.0
4012 /i "C:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\ВАСЯ.msi" AI_SETUPEXEPATH="C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe" SETUPEXEDIR="C:\Users\admin\AppData\Local\Temp\"C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe
ВАСЯ диагност 1.1.exe
User:
admin
Company:
Car2diag
Integrity Level:
MEDIUM
Description:
Эта база данных содержит все необходимое для установки ВАСЯ диагност.
Exit code:
0
Version:
1.1.0
3148C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
740C:\Windows\system32\MsiExec.exe -Embedding D98538F8FC31A4F55327D05649460571 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3404"C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe" /i "C:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\ВАСЯ.msi" EXECUTEACTION="INSTALL" SECONDSEQUENCE="1" CLIENTPROCESSID="4012" ADDLOCAL="MainFeature" ACTION="INSTALL" CLIENTUILEVEL="0" INSTALLLEVEL="1000" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_SETUPEXEPATH="C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe" SETUPEXEDIR="C:\Users\admin\AppData\Local\Temp\" TARGETDIR="C:\" APPDIR="C:\Program Files\ВАСЯ диагност\1.1.0\" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ВАСЯ диагност 1.1.0\"C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe
ВАСЯ диагност 1.1.exe
User:
admin
Company:
Car2diag
Integrity Level:
HIGH
Description:
Эта база данных содержит все необходимое для установки ВАСЯ диагност.
Exit code:
0
Version:
1.1.0
900C:\Windows\system32\MsiExec.exe -Embedding A00FE99FDBDC0E8C345EC303F489A425C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3052"C:\Program Files\ВАСЯ диагност\1.1.0\Driver\CDM20814_Setup.exe" C:\Program Files\ВАСЯ диагност\1.1.0\Driver\CDM20814_Setup.exeMsiExec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3848"C:\Program Files\ВАСЯ диагност\1.1.0\Driver\CDM20814_Setup.exe" C:\Program Files\ВАСЯ диагност\1.1.0\Driver\CDM20814_Setup.exe
MsiExec.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
Total events
3 347
Read events
3 198
Write events
0
Delete events
0

Modification events

No data
Executable files
48
Suspicious files
35
Text files
2 386
Unknown types
18

Dropped files

PID
Process
Filename
Type
1976ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\decoder.dllexecutable
MD5:49B60B1C3414C85D69DDF03FAD42A6B2
SHA256:511595CDEEF5C40093D66F532BA4C207AC343439AA82049162B18E6B5E293173
1976ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Driver\amd64\ftcserco.dllexecutable
MD5:618E1CC7A703C3B4C412E36CB68FE05B
SHA256:F029FADEE7528B17AC3CDD45E1C96590781093BD541C7231A5992177B358B3CC
1976ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\vd.exe.manifestxml
MD5:26A7C7C71924B6EBE2201FF0A4E0E821
SHA256:3C3A3AC34E4EA4600C607C0CF28FE63054C38A34B8D5EC599A5321D2077BF873
1976ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\LCode.initext
MD5:91A94C7D3811C24D42E5C6E6893B28CC
SHA256:08A18FAFC251B88A90BB106F60C5FA7C69CFD0EC00ABA094579FAD533341F2B7
1976ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\vd.exeexecutable
MD5:E845FC9FD35FB60D9B7CD57E290BE0B1
SHA256:08AF36C7963B3D0DD349A0D8E599099C6A934118BCCD9342814459AFC6FBE858
1976ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Debug\ReadMe.txttext
MD5:4A329D42AB14E1FD61014B5FB050C485
SHA256:9B32937F7CE4E53FE1FAC78293CE4FA34FEFE3AD698F663A6A764699C363FD80
1976ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Labels\LabelVer.txttext
MD5:1848E47B498F59C8ED4CFC4F1DAF454A
SHA256:B4AA1DCA3E768E547FF8E20D6E803E86855F0CF1A3AD16DB734E619FAF155FE1
1976ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Driver\amd64\ftbusui.dllexecutable
MD5:F9F4126B3724FCA637A391A941C4AF4A
SHA256:048459C5EE8BA1E2D7D202B2E76D13900969E129B1F065F461BE7A0A760905B2
1976ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Logs\ReadMe.txttext
MD5:E97EF5822F44877AB466A8E6CAA980ED
SHA256:3A38202C0028B4B135C6C1C160E26AD371A285F47D563490EF602DE6CFB4CDF9
1976ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\LCode.exeexecutable
MD5:8739BF76E229F3C5729EF682790C08B4
SHA256:AF3E275B652DF036D4C12DC243097E93EF333E8F4DCDAB734CFB697136D6FADD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ВАСЯ диагност 1.1.exe