File name: | CheVolume-0.5.0.0.exe |
Full analysis: | https://app.any.run/tasks/c8c2a3d8-1999-4226-8969-5b6666eb48fa |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 15:25:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | 90829B374E87A8566240D511E45A4307 |
SHA1: | 1E7D2D2F95CCFCFFE8DE63599D1EFEC39041F36F |
SHA256: | 481945D2FBC08EA7D32B2B4BB0946BFBA8049FF3B9918B9A665B5B2630758AE9 |
SSDEEP: | 786432:Vhbpkv4mmvo7pLskTDNbuu6X+lHpsLxyQJafNZ+NYfzSKOE3:Vppkv4mmvWpLskTDlK+JpsLxyQJ4NZbn |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
ProductName: | CheVolume |
---|---|
LegalCopyright: | Author © 2016 |
FileVersion: | 0.5.0.0 |
FileDescription: | Application |
CompanyName: | WellWeWeb |
CharacterSet: | Windows, Latin1 |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 0.5.0.0 |
FileVersionNumber: | 0.5.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 6 |
OSVersion: | 4 |
EntryPoint: | 0x310f |
UninitializedDataSize: | 1024 |
InitializedDataSize: | 162816 |
CodeSize: | 24576 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2016:04:03 22:18:59+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 03-Apr-2016 20:18:59 |
Detected languages: |
|
CompanyName: | WellWeWeb |
FileDescription: | Application |
FileVersion: | 0.5.0.0 |
LegalCopyright: | Author © 2016 |
ProductName: | CheVolume |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 03-Apr-2016 20:18:59 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00005FDD | 0x00006000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.49972 |
.rdata | 0x00007000 | 0x00001352 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.20754 |
.data | 0x00009000 | 0x000254F8 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.03235 |
.ndata | 0x0002F000 | 0x00013000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00042000 | 0x000198A8 | 0x00019A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.71904 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.28725 | 1072 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 3.71669 | 16936 | UNKNOWN | English - United States | RT_ICON |
3 | 3.89952 | 9640 | UNKNOWN | English - United States | RT_ICON |
4 | 4.27568 | 4264 | UNKNOWN | English - United States | RT_ICON |
5 | 6.12697 | 1128 | UNKNOWN | English - United States | RT_ICON |
6 | 0 | 744 | UNKNOWN | English - United States | RT_ICON |
7 | 0 | 296 | UNKNOWN | English - United States | RT_ICON |
103 | 2.93391 | 104 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.68372 | 512 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.91148 | 248 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2780 | "C:\Users\admin\AppData\Local\Temp\CheVolume-0.5.0.0.exe" | C:\Users\admin\AppData\Local\Temp\CheVolume-0.5.0.0.exe | — | explorer.exe |
User: admin Company: WellWeWeb Integrity Level: MEDIUM Description: Application Exit code: 3221226540 Version: 0.5.0.0 | ||||
1548 | "C:\Users\admin\AppData\Local\Temp\CheVolume-0.5.0.0.exe" | C:\Users\admin\AppData\Local\Temp\CheVolume-0.5.0.0.exe | explorer.exe | |
User: admin Company: WellWeWeb Integrity Level: HIGH Description: Application Exit code: 0 Version: 0.5.0.0 | ||||
4020 | "C:\Program Files\WellWeWeb\CheVolume\vc_redist.x86.exe" /q /norestart | C:\Program Files\WellWeWeb\CheVolume\vc_redist.x86.exe | — | CheVolume-0.5.0.0.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23918 Exit code: 1638 Version: 14.0.23918.0 | ||||
2528 | "C:\Program Files\WellWeWeb\CheVolume\vc_redist.x86.exe" /q /norestart -burn.unelevated BurnPipe.{28E97F4F-8996-4795-AA1E-A721AA34785A} {015A5C7C-FF2A-4201-BB14-AD1E73045E0F} 4020 | C:\Program Files\WellWeWeb\CheVolume\vc_redist.x86.exe | vc_redist.x86.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23918 Exit code: 1638 Version: 14.0.23918.0 | ||||
332 | "C:\Program Files\WellWeWeb\CheVolume\dotNetFx35setup.exe" | C:\Program Files\WellWeWeb\CheVolume\dotNetFx35setup.exe | — | CheVolume-0.5.0.0.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Framework 3.5 Setup Exit code: 0 Version: 3.5.21022.08 | ||||
1004 | "C:\Program Files\WellWeWeb\CheVolume\CheVolume.exe" | C:\Program Files\WellWeWeb\CheVolume\CheVolume.exe | explorer.exe | |
User: admin Company: WellWeWeb Integrity Level: MEDIUM Description: CheVolume Version: 0.5.0.0 |
(PID) Process: | (1548) CheVolume-0.5.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | ${_APP_NAME} |
Value: C:\Program Files\WellWeWeb\CheVolume\CheVolume.exe | |||
(PID) Process: | (1548) CheVolume-0.5.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CheVolume.exe |
Operation: | write | Name: | |
Value: C:\Program Files\WellWeWeb\CheVolume\CheVolume.exe | |||
(PID) Process: | (1548) CheVolume-0.5.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CheVolume |
Operation: | write | Name: | DisplayName |
Value: CheVolume | |||
(PID) Process: | (1548) CheVolume-0.5.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CheVolume |
Operation: | write | Name: | UninstallString |
Value: C:\Program Files\WellWeWeb\CheVolume\uninstall.exe | |||
(PID) Process: | (1548) CheVolume-0.5.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CheVolume |
Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files\WellWeWeb\CheVolume\CheVolume.exe | |||
(PID) Process: | (1548) CheVolume-0.5.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CheVolume |
Operation: | write | Name: | DisplayVersion |
Value: 0.5.0.0 | |||
(PID) Process: | (1548) CheVolume-0.5.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CheVolume |
Operation: | write | Name: | Publisher |
Value: WellWeWeb | |||
(PID) Process: | (1548) CheVolume-0.5.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CheVolume |
Operation: | write | Name: | URLInfoAbout |
Value: www.chevolume.com | |||
(PID) Process: | (1004) CheVolume.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CheVolume_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1004) CheVolume.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CheVolume_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1548 | CheVolume-0.5.0.0.exe | C:\Program Files\WellWeWeb\CheVolume\CheVolume.exe | executable | |
MD5:C16726328A23D162B48B9B7D055258FE | SHA256:6B4E8784D20DDB7C46319CD1ACBC1FCA0850D66EE1D305BC7F663DE01399F9AA | |||
1548 | CheVolume-0.5.0.0.exe | C:\Program Files\WellWeWeb\CheVolume\CheV.exe | executable | |
MD5:55ADBDF7A813BAADDF7992C8F69D9761 | SHA256:2CB92980C6817FCE651449DF25DAA76746133CB79307054507BD8C181A665C1E | |||
1548 | CheVolume-0.5.0.0.exe | C:\Program Files\WellWeWeb\CheVolume\appicon.ico | image | |
MD5:196EC0E6ED903D9F01406ECFF68E94D4 | SHA256:3FFF97154B22529E7F3D8777D8E8E4F57E1C363694F0FF47B6115DB9A35E6085 | |||
1548 | CheVolume-0.5.0.0.exe | C:\Users\admin\AppData\Local\Temp\nsf6792.tmp\modern-wizard.bmp | image | |
MD5:3E5A56C18B19807A55C4511E69FA26F6 | SHA256:A4A1C1C54C365EDE18B9B73C138A3EA5474BFC57909080F09C656ADBEFEED9C5 | |||
1548 | CheVolume-0.5.0.0.exe | C:\Users\admin\AppData\Local\Temp\nsf6792.tmp\modern-header.bmp | image | |
MD5:782A22FD3AA0EB0588986948AAEE3A11 | SHA256:70A747EB7590304B99D5AF4671B308CF7E0C7752A01F10378059FD7B7A5EBEBE | |||
1548 | CheVolume-0.5.0.0.exe | C:\Program Files\WellWeWeb\CheVolume\vc_redist.x64.exe | executable | |
MD5:883C499D04C145A69622F7658E353265 | SHA256:DF58F4AA566A10776C864C1007E0AC0987835FA1E9F7445BED8BA21A9101D414 | |||
1548 | CheVolume-0.5.0.0.exe | C:\Program Files\WellWeWeb\CheVolume\CheVolume64.dll | executable | |
MD5:612093EC2C8D3CD19C79E1191BAAAC11 | SHA256:12A9AF6291C1CC0E89FF6CD4FB28CF5FCA897484FCE7EA82431B644C1E5492DC | |||
1548 | CheVolume-0.5.0.0.exe | C:\Program Files\WellWeWeb\CheVolume\CheVolume.dll | executable | |
MD5:CE01A4558409B39CB94A90EFA7A4DC6D | SHA256:F833414D6BCE2A37034F0F89FEAE3410DCFD9AE4AC849A949F0A29CAA4589781 | |||
1548 | CheVolume-0.5.0.0.exe | C:\Program Files\WellWeWeb\CheVolume\LicensingUI.Net.dll | executable | |
MD5:188A1AEA0C2475B7F9FBD24AD33BB64C | SHA256:3275092FC7D5EF413E3697C9F71FCDB0567867D653761DB6FE119A74D87A9E02 | |||
1548 | CheVolume-0.5.0.0.exe | C:\Program Files\WellWeWeb\CheVolume\CheV64.exe | executable | |
MD5:0B0DCF91C192E8F42C76835F3C44BF07 | SHA256:1474AC81695614C806ECC46A529297D862C4DDBE73EE3F3A404080F25A5C69F8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1004 | CheVolume.exe | GET | 200 | 37.187.236.124:80 | http://www.chevolume.com/LicensingService/Activate.ashx?LicenseKey=AAADM-LCCKT-WTE4V-HL3UC-GXSNR&HardwareId=BX2PW-8EEFC-RHZKB-JV82G-JLEAA&ProductId=1 | FR | text | 29 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1004 | CheVolume.exe | 129.6.15.28:13 | time-a.nist.gov | National Bureau of Standards | US | unknown |
1004 | CheVolume.exe | 129.6.15.27:13 | time-d.nist.gov | National Bureau of Standards | US | unknown |
1004 | CheVolume.exe | 64.236.96.53:13 | nist1.aol-va.symmetricom.com | AOL Transit Data Network | US | unknown |
1004 | CheVolume.exe | 129.6.15.29:13 | time-b.nist.gov | National Bureau of Standards | US | unknown |
1004 | CheVolume.exe | 67.227.226.241:13 | nist1-nj.ustiming.org | Liquid Web, L.L.C | US | malicious |
— | — | 37.187.236.124:80 | www.chevolume.com | OVH SAS | FR | unknown |
1004 | CheVolume.exe | 54.72.9.51:13 | wolfnisttime.com | Amazon.com, Inc. | IE | malicious |
1004 | CheVolume.exe | 132.163.96.2:13 | time-b.timefreq.bldrdoc.gov | National Bureau of Standards | US | unknown |
1004 | CheVolume.exe | 132.163.97.1:13 | wwv.nist.gov | National Bureau of Standards | US | unknown |
1004 | CheVolume.exe | 132.163.97.4:13 | nist.expertsmi.com | National Bureau of Standards | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.chevolume.com |
| unknown |
nist1-nj.ustiming.org |
| malicious |
nist1-nj2.ustiming.org |
| malicious |
nist1-ny2.ustiming.org |
| malicious |
nist1-pa.ustiming.org |
| malicious |
time-a.nist.gov |
| whitelisted |
time-b.nist.gov |
| whitelisted |
time-d.nist.gov |
| unknown |
nist1.aol-va.symmetricom.com |
| unknown |
nist1-atl.ustiming.org |
| malicious |
Process | Message |
---|---|
CheVolume.exe | And the winner is... time-a.nist.gov
|