| File name: | Virus Maker.exe |
| Full analysis: | https://app.any.run/tasks/3f6458ea-4e6b-4f31-9753-13bf1cbf761b |
| Verdict: | Malicious activity |
| Analysis date: | November 10, 2023, 10:51:34 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | C00845708EE4E6CBAA628A0886076C4D |
| SHA1: | E011D28A40304957961654E62D00754A772FDEE8 |
| SHA256: | 16F14BD60C84A7838B99C34A791D5D334F08EE1E588C95162290CED38DB8B092 |
| SSDEEP: | 6144:GJvHYJvHYJvHYJvHYJvHYJvHoJvHYJvHRJvHulhfNPpXomiJvHkDu:kvuvuvuvuvuvevuvjvkPN/Aviu |
MALICIOUS
Changes the autorun value in the registry
- reg.exe (PID: 4024)
- reg.exe (PID: 4076)
- reg.exe (PID: 1360)
- reg.exe (PID: 984)
- reg.exe (PID: 2392)
- reg.exe (PID: 296)
- reg.exe (PID: 1812)
- reg.exe (PID: 2336)
- reg.exe (PID: 124)
- reg.exe (PID: 3532)
- reg.exe (PID: 2068)
- reg.exe (PID: 3868)
- reg.exe (PID: 3092)
- reg.exe (PID: 2692)
- reg.exe (PID: 2908)
- reg.exe (PID: 2996)
- reg.exe (PID: 944)
- reg.exe (PID: 3416)
- reg.exe (PID: 3584)
- reg.exe (PID: 3396)
- reg.exe (PID: 3836)
- reg.exe (PID: 3932)
- reg.exe (PID: 3444)
- reg.exe (PID: 2724)
- reg.exe (PID: 3780)
- reg.exe (PID: 2400)
- reg.exe (PID: 2232)
- reg.exe (PID: 4048)
- reg.exe (PID: 2068)
- reg.exe (PID: 3036)
- reg.exe (PID: 2944)
Drops the executable file immediately after the start
- vbc.exe (PID: 3576)
- vbc.exe (PID: 3672)
- vbc.exe (PID: 3600)
SUSPICIOUS
Reads the Internet Settings
- Virus Maker.exe (PID: 3428)
- setup.exe (PID: 3652)
- stup.exe (PID: 3728)
- stuep.exe (PID: 2268)
Reads Internet Explorer settings
- Virus Maker.exe (PID: 3428)
Uses ATTRIB.EXE to modify file attributes
- cmd.exe (PID: 3888)
- cmd.exe (PID: 4012)
The process executes VB scripts
- Virus Maker.exe (PID: 3428)
Executing commands from a ".bat" file
- setup.exe (PID: 3652)
- stup.exe (PID: 3728)
- stuep.exe (PID: 2268)
Starts CMD.EXE for commands execution
- setup.exe (PID: 3652)
- stup.exe (PID: 3728)
- stuep.exe (PID: 2268)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 3888)
- cmd.exe (PID: 4012)
INFO
Reads the machine GUID from the registry
- Virus Maker.exe (PID: 3428)
- vbc.exe (PID: 3576)
- cvtres.exe (PID: 3580)
- setup.exe (PID: 3652)
- cvtres.exe (PID: 3820)
- vbc.exe (PID: 3672)
- stup.exe (PID: 3728)
- vbc.exe (PID: 3600)
- cvtres.exe (PID: 1752)
- stuep.exe (PID: 2268)
Checks supported languages
- Virus Maker.exe (PID: 3428)
- vbc.exe (PID: 3576)
- cvtres.exe (PID: 3580)
- setup.exe (PID: 3652)
- vbc.exe (PID: 3672)
- cvtres.exe (PID: 3820)
- vbc.exe (PID: 3600)
- stup.exe (PID: 3728)
- stuep.exe (PID: 2268)
- cvtres.exe (PID: 1752)
Reads the computer name
- Virus Maker.exe (PID: 3428)
- setup.exe (PID: 3652)
- stup.exe (PID: 3728)
- stuep.exe (PID: 2268)
Create files in a temporary directory
- vbc.exe (PID: 3576)
- cvtres.exe (PID: 3580)
- Virus Maker.exe (PID: 3428)
- setup.exe (PID: 3652)
- vbc.exe (PID: 3672)
- cvtres.exe (PID: 3820)
- stup.exe (PID: 3728)
- vbc.exe (PID: 3600)
- cvtres.exe (PID: 1752)
- stuep.exe (PID: 2268)
Manual execution by a user
- setup.exe (PID: 3652)
- stup.exe (PID: 3728)
- stuep.exe (PID: 2268)
- explorer.exe (PID: 2892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (55.8) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21) |
| .scr | | | Windows screen saver (9.9) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2015:12:24 21:35:03+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 3451904 |
| InitializedDataSize: | 375808 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x34cace |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | Virus Maker |
| CompanyName: | BlackHost |
| FileDescription: | Virus Maker |
| FileVersion: | 0.0.0.0 |
| InternalName: | Virus Maker.exe |
| LegalCopyright: | Copyright © BlackHost |
| LegalTrademarks: | BlackHost |
| OriginalFileName: | Virus Maker.exe |
| ProductName: | Virus Maker |
| ProductVersion: | 0.0.0.0 |
| AssemblyVersion: | 0.0.0.0 |
Total processes
1 006
Monitored processes
959
Malicious processes
5
Suspicious processes
34
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 124 | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\setup.bat /f | C:\Windows\System32\reg.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 128 | attrib +s +r +h C:\AUTOEXEC.BAT | C:\Windows\System32\attrib.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 128 | notepad.exe | C:\Windows\System32\notepad.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 240 | notepad.exe | C:\Windows\System32\notepad.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 272 | attrib +s +r +h C:\AUTOEXEC.BAT | C:\Windows\System32\attrib.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 276 | notepad.exe | C:\Windows\System32\notepad.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 280 | attrib +s +r +h C:\AUTOEXEC.BAT | C:\Windows\System32\attrib.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 284 | notepad.exe | C:\Windows\System32\notepad.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 292 | notepad.exe | C:\Windows\System32\notepad.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 296 | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\setup.bat /f | C:\Windows\System32\reg.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
19 989
Read events
19 812
Write events
164
Delete events
13
Modification events
| (PID) Process: | (3428) Virus Maker.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | NodeSlots |
Value: 02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
| (PID) Process: | (3428) Virus Maker.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | MRUListEx |
Value: 01000000020000000700000000000000060000000C0000000B0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF | |||
| (PID) Process: | (3428) Virus Maker.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | MRUListEx |
Value: 02000000010000000700000000000000060000000C0000000B0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF | |||
| (PID) Process: | (3428) Virus Maker.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
| Operation: | write | Name: | TV_FolderType |
Value: {FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} | |||
| (PID) Process: | (3428) Virus Maker.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
| Operation: | write | Name: | TV_TopViewID |
Value: {82BA0782-5B7A-4569-B5D7-EC83085F08CC} | |||
| (PID) Process: | (3428) Virus Maker.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
| Operation: | write | Name: | TV_TopViewVersion |
Value: 0 | |||
| (PID) Process: | (3428) Virus Maker.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3428) Virus Maker.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} |
| Operation: | write | Name: | Mode |
Value: 4 | |||
| (PID) Process: | (3428) Virus Maker.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} |
| Operation: | write | Name: | LogicalViewMode |
Value: 1 | |||
| (PID) Process: | (3428) Virus Maker.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} |
| Operation: | write | Name: | FFlags |
Value: 1 | |||
Executable files
3
Suspicious files
9
Text files
12
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3428 | Virus Maker.exe | C:\Users\admin\AppData\Local\Temp\3yjx5xib.cmdline | text | |
MD5:F880B40FDDE0856DD6E5EDE78569D040 | SHA256:7F96823005ECED573BFF349B4B9F4F5CCBC893CD87BE87FB16E1E1A906B5C883 | |||
| 3580 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESE803.tmp | binary | |
MD5:08E7A1B09EFADF88A1D5C7A15F92AF7F | SHA256:648FE3BB90538A5AC8FA00E4AFAD70898A92326CD4490CECCFAF9FBD3FB0887F | |||
| 3652 | setup.exe | C:\Users\admin\AppData\Local\Temp\cmd.bat | text | |
MD5:A567049679DA1EE8C304E205DC6CBF00 | SHA256:22305180F820EAC1BC6BEA38C0487F982B7079E8624DEBFEB743E81C7E5BBE8A | |||
| 3576 | vbc.exe | C:\Users\admin\AppData\Local\Temp\vbc3704B0E3FD6E4BC99527ED1248DD31C.TMP | binary | |
MD5:8071879382994B1FF8E5E4CE397A4622 | SHA256:6EC31828C59974E1DD24B258455BD3CECD1E76FAA0E9E26C02E659A37B494D46 | |||
| 3672 | vbc.exe | C:\Users\admin\AppData\Local\Temp\vbcE9716D34F5DB427A9387C57F34DFAEB3.TMP | binary | |
MD5:154CA39515583A06F75F354D4A107831 | SHA256:4D0CA197FC7FE486D6E31C55DBE2618F41ED48D49DBF7C0B1305D40C0376802D | |||
| 3576 | vbc.exe | C:\Users\admin\AppData\Local\Temp\3yjx5xib.out | text | |
MD5:40AA005257AA52FB1777887DACD6D4A7 | SHA256:E05C06F2F6EE9DE6C8376FD0327CCB4D98AFC38BF5B3FF23F0A0F0288EAA4F4A | |||
| 3428 | Virus Maker.exe | C:\Users\admin\AppData\Local\Temp\hr0rddeq.0.vb | text | |
MD5:50467BDCF214543BE2111C9B7C19C386 | SHA256:70860CE44146CE48347AC089ED22299AD1FEE1A102D2F12D1864172041C20BD4 | |||
| 3428 | Virus Maker.exe | C:\Users\admin\AppData\Local\Temp\hr0rddeq.cmdline | text | |
MD5:43F82384F62C62FC3DF04661290A7696 | SHA256:FCA338466DC1AABEB9F2B72009527A6537FD022873732D08142153013509ABBE | |||
| 3820 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES7E38.tmp | binary | |
MD5:FF94020361C17228C100058C1CDEEB63 | SHA256:988A2540B7E8562A32D95C9581A3A0C42CC07EE73CEE86CD9DE6838082D1510B | |||
| 3576 | vbc.exe | C:\Users\admin\Desktop\setup.exe | executable | |
MD5:E03310E7B2E1ADF7CD8AEB6B008D25F6 | SHA256:7008130DEDD57F556CF9A3EC762AE2C08D2062F398EF83D2E35FDBDA91F89259 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |