analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CheVolume-0.5.0.0.exe

Full analysis: https://app.any.run/tasks/c8c2a3d8-1999-4226-8969-5b6666eb48fa
Verdict: Malicious activity
Analysis date: April 25, 2019, 15:25:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

90829B374E87A8566240D511E45A4307

SHA1:

1E7D2D2F95CCFCFFE8DE63599D1EFEC39041F36F

SHA256:

481945D2FBC08EA7D32B2B4BB0946BFBA8049FF3B9918B9A665B5B2630758AE9

SSDEEP:

786432:Vhbpkv4mmvo7pLskTDNbuu6X+lHpsLxyQJafNZ+NYfzSKOE3:Vppkv4mmvWpLskTDlK+JpsLxyQJ4NZbn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • CheVolume-0.5.0.0.exe (PID: 1548)
      • vc_redist.x86.exe (PID: 2528)
      • CheVolume.exe (PID: 1004)
    • Writes to a start menu file

      • CheVolume-0.5.0.0.exe (PID: 1548)
    • Changes the autorun value in the registry

      • CheVolume-0.5.0.0.exe (PID: 1548)
    • Application was dropped or rewritten from another process

      • dotNetFx35setup.exe (PID: 332)
      • vc_redist.x86.exe (PID: 4020)
      • vc_redist.x86.exe (PID: 2528)
      • CheVolume.exe (PID: 1004)
  • SUSPICIOUS

    • Searches for installed software

      • vc_redist.x86.exe (PID: 2528)
    • Executable content was dropped or overwritten

      • CheVolume-0.5.0.0.exe (PID: 1548)
      • vc_redist.x86.exe (PID: 2528)
    • Creates files in the program directory

      • CheVolume-0.5.0.0.exe (PID: 1548)
    • Creates a software uninstall entry

      • CheVolume-0.5.0.0.exe (PID: 1548)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

ProductName: CheVolume
LegalCopyright: Author © 2016
FileVersion: 0.5.0.0
FileDescription: Application
CompanyName: WellWeWeb
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.5.0.0
FileVersionNumber: 0.5.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x310f
UninitializedDataSize: 1024
InitializedDataSize: 162816
CodeSize: 24576
LinkerVersion: 6
PEType: PE32
TimeStamp: 2016:04:03 22:18:59+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 03-Apr-2016 20:18:59
Detected languages:
  • English - United States
CompanyName: WellWeWeb
FileDescription: Application
FileVersion: 0.5.0.0
LegalCopyright: Author © 2016
ProductName: CheVolume

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 03-Apr-2016 20:18:59
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005FDD
0x00006000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.49972
.rdata
0x00007000
0x00001352
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.20754
.data
0x00009000
0x000254F8
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.03235
.ndata
0x0002F000
0x00013000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00042000
0x000198A8
0x00019A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.71904

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.28725
1072
UNKNOWN
English - United States
RT_MANIFEST
2
3.71669
16936
UNKNOWN
English - United States
RT_ICON
3
3.89952
9640
UNKNOWN
English - United States
RT_ICON
4
4.27568
4264
UNKNOWN
English - United States
RT_ICON
5
6.12697
1128
UNKNOWN
English - United States
RT_ICON
6
0
744
UNKNOWN
English - United States
RT_ICON
7
0
296
UNKNOWN
English - United States
RT_ICON
103
2.93391
104
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.68372
512
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start chevolume-0.5.0.0.exe no specs chevolume-0.5.0.0.exe vc_redist.x86.exe no specs vc_redist.x86.exe dotnetfx35setup.exe no specs chevolume.exe

Process information

PID
CMD
Path
Indicators
Parent process
2780"C:\Users\admin\AppData\Local\Temp\CheVolume-0.5.0.0.exe" C:\Users\admin\AppData\Local\Temp\CheVolume-0.5.0.0.exeexplorer.exe
User:
admin
Company:
WellWeWeb
Integrity Level:
MEDIUM
Description:
Application
Exit code:
3221226540
Version:
0.5.0.0
1548"C:\Users\admin\AppData\Local\Temp\CheVolume-0.5.0.0.exe" C:\Users\admin\AppData\Local\Temp\CheVolume-0.5.0.0.exe
explorer.exe
User:
admin
Company:
WellWeWeb
Integrity Level:
HIGH
Description:
Application
Exit code:
0
Version:
0.5.0.0
4020"C:\Program Files\WellWeWeb\CheVolume\vc_redist.x86.exe" /q /norestartC:\Program Files\WellWeWeb\CheVolume\vc_redist.x86.exeCheVolume-0.5.0.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23918
Exit code:
1638
Version:
14.0.23918.0
2528"C:\Program Files\WellWeWeb\CheVolume\vc_redist.x86.exe" /q /norestart -burn.unelevated BurnPipe.{28E97F4F-8996-4795-AA1E-A721AA34785A} {015A5C7C-FF2A-4201-BB14-AD1E73045E0F} 4020C:\Program Files\WellWeWeb\CheVolume\vc_redist.x86.exe
vc_redist.x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23918
Exit code:
1638
Version:
14.0.23918.0
332"C:\Program Files\WellWeWeb\CheVolume\dotNetFx35setup.exe"C:\Program Files\WellWeWeb\CheVolume\dotNetFx35setup.exeCheVolume-0.5.0.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 3.5 Setup
Exit code:
0
Version:
3.5.21022.08
1004"C:\Program Files\WellWeWeb\CheVolume\CheVolume.exe" C:\Program Files\WellWeWeb\CheVolume\CheVolume.exe
explorer.exe
User:
admin
Company:
WellWeWeb
Integrity Level:
MEDIUM
Description:
CheVolume
Version:
0.5.0.0
Total events
478
Read events
458
Write events
20
Delete events
0

Modification events

(PID) Process:(1548) CheVolume-0.5.0.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:${_APP_NAME}
Value:
C:\Program Files\WellWeWeb\CheVolume\CheVolume.exe
(PID) Process:(1548) CheVolume-0.5.0.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CheVolume.exe
Operation:writeName:
Value:
C:\Program Files\WellWeWeb\CheVolume\CheVolume.exe
(PID) Process:(1548) CheVolume-0.5.0.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CheVolume
Operation:writeName:DisplayName
Value:
CheVolume
(PID) Process:(1548) CheVolume-0.5.0.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CheVolume
Operation:writeName:UninstallString
Value:
C:\Program Files\WellWeWeb\CheVolume\uninstall.exe
(PID) Process:(1548) CheVolume-0.5.0.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CheVolume
Operation:writeName:DisplayIcon
Value:
C:\Program Files\WellWeWeb\CheVolume\CheVolume.exe
(PID) Process:(1548) CheVolume-0.5.0.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CheVolume
Operation:writeName:DisplayVersion
Value:
0.5.0.0
(PID) Process:(1548) CheVolume-0.5.0.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CheVolume
Operation:writeName:Publisher
Value:
WellWeWeb
(PID) Process:(1548) CheVolume-0.5.0.0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CheVolume
Operation:writeName:URLInfoAbout
Value:
www.chevolume.com
(PID) Process:(1004) CheVolume.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CheVolume_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1004) CheVolume.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CheVolume_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
15
Suspicious files
0
Text files
39
Unknown types
4

Dropped files

PID
Process
Filename
Type
1548CheVolume-0.5.0.0.exeC:\Program Files\WellWeWeb\CheVolume\CheVolume.exeexecutable
MD5:C16726328A23D162B48B9B7D055258FE
SHA256:6B4E8784D20DDB7C46319CD1ACBC1FCA0850D66EE1D305BC7F663DE01399F9AA
1548CheVolume-0.5.0.0.exeC:\Program Files\WellWeWeb\CheVolume\CheV.exeexecutable
MD5:55ADBDF7A813BAADDF7992C8F69D9761
SHA256:2CB92980C6817FCE651449DF25DAA76746133CB79307054507BD8C181A665C1E
1548CheVolume-0.5.0.0.exeC:\Program Files\WellWeWeb\CheVolume\appicon.icoimage
MD5:196EC0E6ED903D9F01406ECFF68E94D4
SHA256:3FFF97154B22529E7F3D8777D8E8E4F57E1C363694F0FF47B6115DB9A35E6085
1548CheVolume-0.5.0.0.exeC:\Users\admin\AppData\Local\Temp\nsf6792.tmp\modern-wizard.bmpimage
MD5:3E5A56C18B19807A55C4511E69FA26F6
SHA256:A4A1C1C54C365EDE18B9B73C138A3EA5474BFC57909080F09C656ADBEFEED9C5
1548CheVolume-0.5.0.0.exeC:\Users\admin\AppData\Local\Temp\nsf6792.tmp\modern-header.bmpimage
MD5:782A22FD3AA0EB0588986948AAEE3A11
SHA256:70A747EB7590304B99D5AF4671B308CF7E0C7752A01F10378059FD7B7A5EBEBE
1548CheVolume-0.5.0.0.exeC:\Program Files\WellWeWeb\CheVolume\vc_redist.x64.exeexecutable
MD5:883C499D04C145A69622F7658E353265
SHA256:DF58F4AA566A10776C864C1007E0AC0987835FA1E9F7445BED8BA21A9101D414
1548CheVolume-0.5.0.0.exeC:\Program Files\WellWeWeb\CheVolume\CheVolume64.dllexecutable
MD5:612093EC2C8D3CD19C79E1191BAAAC11
SHA256:12A9AF6291C1CC0E89FF6CD4FB28CF5FCA897484FCE7EA82431B644C1E5492DC
1548CheVolume-0.5.0.0.exeC:\Program Files\WellWeWeb\CheVolume\CheVolume.dllexecutable
MD5:CE01A4558409B39CB94A90EFA7A4DC6D
SHA256:F833414D6BCE2A37034F0F89FEAE3410DCFD9AE4AC849A949F0A29CAA4589781
1548CheVolume-0.5.0.0.exeC:\Program Files\WellWeWeb\CheVolume\LicensingUI.Net.dllexecutable
MD5:188A1AEA0C2475B7F9FBD24AD33BB64C
SHA256:3275092FC7D5EF413E3697C9F71FCDB0567867D653761DB6FE119A74D87A9E02
1548CheVolume-0.5.0.0.exeC:\Program Files\WellWeWeb\CheVolume\CheV64.exeexecutable
MD5:0B0DCF91C192E8F42C76835F3C44BF07
SHA256:1474AC81695614C806ECC46A529297D862C4DDBE73EE3F3A404080F25A5C69F8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
28
DNS requests
31
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1004
CheVolume.exe
GET
200
37.187.236.124:80
http://www.chevolume.com/LicensingService/Activate.ashx?LicenseKey=AAADM-LCCKT-WTE4V-HL3UC-GXSNR&HardwareId=BX2PW-8EEFC-RHZKB-JV82G-JLEAA&ProductId=1
FR
text
29 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1004
CheVolume.exe
129.6.15.28:13
time-a.nist.gov
National Bureau of Standards
US
unknown
1004
CheVolume.exe
129.6.15.27:13
time-d.nist.gov
National Bureau of Standards
US
unknown
1004
CheVolume.exe
64.236.96.53:13
nist1.aol-va.symmetricom.com
AOL Transit Data Network
US
unknown
1004
CheVolume.exe
129.6.15.29:13
time-b.nist.gov
National Bureau of Standards
US
unknown
1004
CheVolume.exe
67.227.226.241:13
nist1-nj.ustiming.org
Liquid Web, L.L.C
US
malicious
37.187.236.124:80
www.chevolume.com
OVH SAS
FR
unknown
1004
CheVolume.exe
54.72.9.51:13
wolfnisttime.com
Amazon.com, Inc.
IE
malicious
1004
CheVolume.exe
132.163.96.2:13
time-b.timefreq.bldrdoc.gov
National Bureau of Standards
US
unknown
1004
CheVolume.exe
132.163.97.1:13
wwv.nist.gov
National Bureau of Standards
US
unknown
1004
CheVolume.exe
132.163.97.4:13
nist.expertsmi.com
National Bureau of Standards
US
unknown

DNS requests

Domain
IP
Reputation
www.chevolume.com
  • 37.187.236.124
unknown
nist1-nj.ustiming.org
  • 67.227.226.241
malicious
nist1-nj2.ustiming.org
  • 67.227.226.241
malicious
nist1-ny2.ustiming.org
  • 67.227.226.241
malicious
nist1-pa.ustiming.org
  • 67.227.226.241
malicious
time-a.nist.gov
  • 129.6.15.28
whitelisted
time-b.nist.gov
  • 129.6.15.29
whitelisted
time-d.nist.gov
  • 129.6.15.27
unknown
nist1.aol-va.symmetricom.com
  • 64.236.96.53
unknown
nist1-atl.ustiming.org
  • 67.227.226.241
malicious

Threats

No threats detected
Process
Message
CheVolume.exe
And the winner is... time-a.nist.gov