analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ВАСЯ диагност 1.1.exe

Full analysis: https://app.any.run/tasks/e19585fa-3dd9-4127-b0e3-c1093d400f96
Verdict: Malicious activity
Analysis date: August 12, 2022, 16:05:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

84EB8B45ADF54CD9F364C347421FCE75

SHA1:

84075EFFD993E3450BDB898ADC6943DFBDC87599

SHA256:

03A3EDB161597BDA64D7A734AF85F936D8961A7DB151CC14C9D72A482281593C

SSDEEP:

196608:QUHkek8H+/rRhBy9K88FR9O/fuFyj1R4Yqdt:9Hkekj/VhAy9O/fuchRqdt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • ВАСЯ диагност 1.1.exe (PID: 3160)
      • ВАСЯ диагност 1.1.exe (PID: 340)

    • Loads dropped or rewritten executable

      • ВАСЯ диагност 1.1.exe (PID: 3160)

  • SUSPICIOUS

    • Reads the computer name

      • ВАСЯ диагност 1.1.exe (PID: 3160)
      • ВАСЯ диагност 1.1.exe (PID: 340)
      • msiexec.exe (PID: 1336)
      • MsiExec.exe (PID: 1436)

    • Checks supported languages

      • ВАСЯ диагност 1.1.exe (PID: 3160)
      • msiexec.exe (PID: 1336)
      • ВАСЯ диагност 1.1.exe (PID: 340)
      • MsiExec.exe (PID: 1436)

    • Drops a file with a compile date too recent

      • ВАСЯ диагност 1.1.exe (PID: 3160)
      • ВАСЯ диагност 1.1.exe (PID: 340)

    • Executable content was dropped or overwritten

      • ВАСЯ диагност 1.1.exe (PID: 3160)
      • ВАСЯ диагност 1.1.exe (PID: 340)

    • Application launched itself

      • ВАСЯ диагност 1.1.exe (PID: 3160)

    • Reads the Windows organization settings

      • ВАСЯ диагност 1.1.exe (PID: 340)

    • Reads Windows owner or organization settings

      • ВАСЯ диагност 1.1.exe (PID: 340)

    • Creates a directory in Program Files

      • DllHost.exe (PID: 4048)

    • Executed via COM

      • DllHost.exe (PID: 4048)

  • INFO

    • Application launched itself

      • msiexec.exe (PID: 1336)

    • Reads the computer name

      • DllHost.exe (PID: 4048)

    • Checks supported languages

      • DllHost.exe (PID: 4048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

ProductVersion: 1.1.0
ProductName: ВАСЯ диагност
OriginalFileName: vd_1.1.0_setup.exe
LegalCopyright: Copyright (C) Car2diag
InternalName: vd_1.1.0_setup
FileVersion: 1.1.0
FileDescription: Эта база данных содержит все необходимое для установки ВАСЯ диагност.
CompanyName: Car2diag
CharacterSet: Unicode
LanguageCode: Russian
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Win32
FileFlags: Debug
FileFlagsMask: 0x003f
ProductVersionNumber: 1.1.0.0
FileVersionNumber: 1.1.0.0
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x993d9
UninitializedDataSize: -
InitializedDataSize: 382464
CodeSize: 812544
LinkerVersion: 9
PEType: PE32
TimeStamp: 2011:08:16 11:35:51+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Aug-2011 09:35:51
Detected languages:
  • English - United States
  • Russian - Russia
Debug artifacts:
  • D:\BranchAI\win\Release\stubs\x86u\ExternalUi.pdb
CompanyName: Car2diag
FileDescription: Эта база данных содержит все необходимое для установки ВАСЯ диагност.
FileVersion: 1.1.0
InternalName: vd_1.1.0_setup
LegalCopyright: Copyright (C) Car2diag
OriginalFileName: vd_1.1.0_setup.exe
ProductName: ВАСЯ диагност
ProductVersion: 1.1.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 16-Aug-2011 09:35:51
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000C653E
0x000C6600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.62726
.rdata
0x000C8000
0x00030CB2
0x00030E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.4147
.data
0x000F9000
0x00008EC4
0x00002E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.22785
.rsrc
0x00102000
0x000163BC
0x00016400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.53486
.reloc
0x00119000
0x00013574
0x00013600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5.12346

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.22953
845
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.08438
744
Latin 1 / Western European
Russian - Russia
RT_ICON
3
3.20315
488
Latin 1 / Western European
Russian - Russia
RT_ICON
4
3.08623
296
Latin 1 / Western European
Russian - Russia
RT_ICON
5
5.59298
3752
Latin 1 / Western European
Russian - Russia
RT_ICON
6
6.02092
2216
Latin 1 / Western European
Russian - Russia
RT_ICON
7
6.00379
1736
Latin 1 / Western European
Russian - Russia
RT_ICON
8
4.59129
1384
Latin 1 / Western European
Russian - Russia
RT_ICON
9
3.96518
1114
Latin 1 / Western European
Russian - Russia
RT_STRING
10
4.22341
2032
Latin 1 / Western European
Russian - Russia
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
MSIMG32.dll
NETAPI32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start вася диагност 1.1.exe вася диагност 1.1.exe msiexec.exe no specs msiexec.exe no specs Copy/Move/Rename/Delete/Link Object no specs

Process information

PID
CMD
Path
Indicators
Parent process
3160"C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe" C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe
Explorer.EXE
User:
admin
Company:
Car2diag
Integrity Level:
MEDIUM
Description:
Эта база данных содержит все необходимое для установки ВАСЯ диагност.
Version:
1.1.0
340 /i "C:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\ВАСЯ.msi" AI_SETUPEXEPATH="C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe" SETUPEXEDIR="C:\Users\admin\AppData\Local\Temp\"C:\Users\admin\AppData\Local\Temp\ВАСЯ диагност 1.1.exe
ВАСЯ диагност 1.1.exe
User:
admin
Company:
Car2diag
Integrity Level:
MEDIUM
Description:
Эта база данных содержит все необходимое для установки ВАСЯ диагност.
Version:
1.1.0
1336C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1436C:\Windows\system32\MsiExec.exe -Embedding A11231D9D9534D1517C08DA8C4DDC0CF CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
4048C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
6 560
Read events
6 390
Write events
0
Delete events
0

Modification events

No data
Executable files
25
Suspicious files
15
Text files
1 200
Unknown types
6

Dropped files

PID
Process
Filename
Type
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Driver\CDM20814_Setup.exeexecutable
MD5:080C9F252D15D67540C7F82173D5A135
SHA256:35F4B0FB91145D56BDED0E71A2EAF8D713C3676971F79BC3A7201333D951DFB7
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Driver\ftd2xx.htext
MD5:30C72676B95D747E80C54F096DD231BB
SHA256:90432B8FB114EF0AD4519588172C60D9ABFA477E4A68ABDE05A37E9052A6C338
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Driver\i386\ftcserco.dllexecutable
MD5:C0FFD52B4E3A7C789D23B0DE3131027D
SHA256:555F9F4AADD979C90A98ECF6A9BDE68815DBC3D102C0D0F9451A195641C9BC45
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\TDIGraph.exeexecutable
MD5:E61266337921315B198D64D888CDE42C
SHA256:0492FBA45C9592B59D7A078C4B7A09A578730669D82E92950A5698B5D06D8944
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\vd.exe.manifestxml
MD5:26A7C7C71924B6EBE2201FF0A4E0E821
SHA256:3C3A3AC34E4EA4600C607C0CF28FE63054C38A34B8D5EC599A5321D2077BF873
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Driver\amd64\ftbusui.dllexecutable
MD5:F9F4126B3724FCA637A391A941C4AF4A
SHA256:048459C5EE8BA1E2D7D202B2E76D13900969E129B1F065F461BE7A0A760905B2
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\AutoScan.txttext
MD5:212F36431702AD0C3FFFC33F50B2B8F1
SHA256:1DACA662E49C44FC72E78E1986CE18A3EF03D6BD36C59165A19D04F862F93F97
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\LCode.initext
MD5:91A94C7D3811C24D42E5C6E6893B28CC
SHA256:08A18FAFC251B88A90BB106F60C5FA7C69CFD0EC00ABA094579FAD533341F2B7
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\decoder.dllexecutable
MD5:49B60B1C3414C85D69DDF03FAD42A6B2
SHA256:511595CDEEF5C40093D66F532BA4C207AC343439AA82049162B18E6B5E293173
3160ВАСЯ диагност 1.1.exeC:\Users\admin\AppData\Roaming\Car2diag\ВАСЯ диагност\install\5359E47\Driver\amd64\ftd2xx64.dllexecutable
MD5:04E2D6F40D388DD2324CF574A604B842
SHA256:27005B9ECBC9863A5BA9174BDB0A449B5868814FA1D21B2760C29345168D95FA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ВАСЯ диагност 1.1.exe