| File name: | Xvid-1.3.7-20191228.exe |
| Full analysis: | https://app.any.run/tasks/7dd752b5-2460-492f-98f8-c78187e7b641 |
| Verdict: | Malicious activity |
| Analysis date: | February 04, 2024, 08:12:47 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed |
| MD5: | 0A2F190C7B8E2744733944822BD317F3 |
| SHA1: | C2F2C0726ECB8230EBA1953C3120DDD24F16745B |
| SHA256: | 7997CB88DB3331191042EEF5238FBF2EBA44B9D244F43554A712996EBA2FFF49 |
| SSDEEP: | 196608:b/k/IXN+BupbShmbuR7HY4QIA6TC6otdn3gY3QIA6TP:NChG6xo3e6P |
MALICIOUS
Drops the executable file immediately after the start
- Xvid-1.3.7-20191228.exe (PID: 2204)
Registers / Runs the DLL via REGSVR32.EXE
- Xvid-1.3.7-20191228.exe (PID: 2204)
Creates a writable file in the system directory
- rundll32.exe (PID: 3416)
SUSPICIOUS
Executable content was dropped or overwritten
- rundll32.exe (PID: 3416)
- Xvid-1.3.7-20191228.exe (PID: 2204)
Reads the Internet Settings
- runonce.exe (PID: 3136)
Uses RUNDLL32.EXE to load library
- Xvid-1.3.7-20191228.exe (PID: 2204)
INFO
Checks supported languages
- Xvid-1.3.7-20191228.exe (PID: 2204)
- setpriv32.exe (PID: 908)
- setavi32.exe (PID: 3452)
Drops the executable file immediately after the start
- rundll32.exe (PID: 3416)
Reads the time zone
- runonce.exe (PID: 3136)
- Xvid-1.3.7-20191228.exe (PID: 2204)
Reads the computer name
- setpriv32.exe (PID: 908)
- Xvid-1.3.7-20191228.exe (PID: 2204)
Process checks whether UAC notifications are on
- Xvid-1.3.7-20191228.exe (PID: 2204)
Create files in a temporary directory
- Xvid-1.3.7-20191228.exe (PID: 2204)
Reads Environment values
- Xvid-1.3.7-20191228.exe (PID: 2204)
Reads CPU info
- Xvid-1.3.7-20191228.exe (PID: 2204)
Creates files in the program directory
- Xvid-1.3.7-20191228.exe (PID: 2204)
Reads Windows Product ID
- Xvid-1.3.7-20191228.exe (PID: 2204)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | UPX compressed Win32 Executable (39.3) |
|---|---|---|
| .exe | | | Win32 EXE Yoda's Crypter (38.6) |
| .dll | | | Win32 Dynamic Link Library (generic) (9.5) |
| .exe | | | Win32 Executable (generic) (6.5) |
| .exe | | | Generic Win/DOS Executable (2.9) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2015:04:10 17:42:38+02:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Large address aware, 32-bit, No debug |
| PEType: | PE32 |
| LinkerVersion: | 2.22 |
| CodeSize: | 905216 |
| InitializedDataSize: | 77824 |
| UninitializedDataSize: | 1994752 |
| EntryPoint: | 0x2c4190 |
| OSVersion: | 4 |
| ImageVersion: | 1 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.3.7.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Dynamic link library |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| ProductName: | Xvid Video Codec |
| LegalTrademarks: | - |
| FileDescription: | - |
| InternalName: | - |
| CompanyName: | Xvid Team |
| FileVersion: | 1.3.7.0 |
| LegalCopyright: | Copyright Xvid Team |
| OriginalFileName: | Xvid-1.3.7-windows.exe |
| Comments: | - |
| ProductVersion: | 1.3.7 |
Total processes
47
Monitored processes
8
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 572 | "C:\Users\admin\AppData\Local\Temp\Xvid-1.3.7-20191228.exe" | C:\Users\admin\AppData\Local\Temp\Xvid-1.3.7-20191228.exe | — | explorer.exe | |||||||||||
User: admin Company: Xvid Team Integrity Level: MEDIUM Exit code: 3221226540 Version: 1.3.7.0 Modules
| |||||||||||||||
| 908 | C:\Users\admin\AppData\Local\Temp\xvid_x86\SETPRI~1.EXE | C:\Users\admin\AppData\Local\Temp\xvid_x86\setpriv32.exe | Xvid-1.3.7-20191228.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 2204 | "C:\Users\admin\AppData\Local\Temp\Xvid-1.3.7-20191228.exe" | C:\Users\admin\AppData\Local\Temp\Xvid-1.3.7-20191228.exe | explorer.exe | ||||||||||||
User: admin Company: Xvid Team Integrity Level: HIGH Exit code: 0 Version: 1.3.7.0 Modules
| |||||||||||||||
| 2776 | "C:\Windows\System32\grpconv.exe" -o | C:\Windows\System32\grpconv.exe | — | runonce.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Progman Group Converter Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3048 | C:\Windows\System32\regsvr32.exe /s C:\Windows\system32/xvid.ax | C:\Windows\System32\regsvr32.exe | — | Xvid-1.3.7-20191228.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3136 | "C:\Windows\system32\runonce.exe" -r | C:\Windows\System32\runonce.exe | — | rundll32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Run Once Wrapper Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3416 | C:\Windows\System32\rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 0 C:\Users\admin\AppData\Local\Temp/xvid_x86/xvid.inf | C:\Windows\System32\rundll32.exe | Xvid-1.3.7-20191228.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3452 | C:\Users\admin\AppData\Local\Temp\xvid_x86\setavi32.exe | C:\Users\admin\AppData\Local\Temp\xvid_x86\setavi32.exe | Xvid-1.3.7-20191228.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
Total events
711
Read events
696
Write events
12
Delete events
3
Modification events
| (PID) Process: | (2204) Xvid-1.3.7-20191228.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment |
| Operation: | delete value | Name: | BitRock |
Value: 1 | |||
| (PID) Process: | (3136) runonce.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
| Operation: | delete value | Name: | GrpConv |
Value: grpconv -o | |||
| (PID) Process: | (3136) runonce.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3136) runonce.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3136) runonce.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3136) runonce.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3416) rundll32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | GlobalAssocChangedCounter |
Value: 115 | |||
| (PID) Process: | (2204) Xvid-1.3.7-20191228.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 |
| Operation: | write | Name: | msacm.l3acm |
Value: C:\Windows\System32\l3codeca.acm | |||
| (PID) Process: | (2204) Xvid-1.3.7-20191228.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\drivers.desc |
| Operation: | delete value | Name: | C:\Windows\System32\l3codeca.acm |
Value: Fraunhofer IIS MPEG Layer-3 Codec | |||
| (PID) Process: | (2204) Xvid-1.3.7-20191228.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShow\Preferred |
| Operation: | write | Name: | {44495658-0000-0010-8000-00AA00389B71} |
Value: {2A11BAE2-FE6E-4249-864B-9E9ED6E8DBC2} | |||
Executable files
37
Suspicious files
21
Text files
12
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2204 | Xvid-1.3.7-20191228.exe | C:\Users\admin\AppData\Local\Temp\BR3F3C.tmp | executable | |
MD5:145D5C49FE34A44662BEAFFE641D58C7 | SHA256:59182F092B59A3005ADA6B2F2855C7E860E53E8ADF6E41CD8CD515578AE7815A | |||
| 2204 | Xvid-1.3.7-20191228.exe | C:\Users\admin\AppData\Local\Temp\BR3995.tmp | executable | |
MD5:08AD4CD2A940379F1DCDBDB9884A1375 | SHA256:78827E2B1EF0AAD4F8B1B42D0964064819AA22BFCD537EBAACB30D817EDC06D8 | |||
| 2204 | Xvid-1.3.7-20191228.exe | C:\Users\admin\AppData\Local\Temp\BR39C5.tmp | executable | |
MD5:4FF365A985DB06A0D705D2149CAFBE69 | SHA256:C26277333C29E32837338613BD1B42E722601471FD703DCD30160CF89DAC9DA3 | |||
| 2204 | Xvid-1.3.7-20191228.exe | C:\Users\admin\AppData\Local\Temp\BR3F1B.tmp | executable | |
MD5:124E89D0FCC409EDE3595A253B788708 | SHA256:27EA1B57A3024AEC4A03188E80FDB2AA301FA5179C19BE9C8B0DFC2AAC73A114 | |||
| 2204 | Xvid-1.3.7-20191228.exe | C:\Users\admin\AppData\Local\Temp\BR3A15.tmp | executable | |
MD5:C04970B55BCF614F24CA75B1DE641AE2 | SHA256:5DDEE4AAB3CF33E505F52199D64809125B26DE04FB9970CA589CD8619C859D80 | |||
| 2204 | Xvid-1.3.7-20191228.exe | C:\Users\admin\AppData\Local\Temp\BR39D5.tmp | executable | |
MD5:027491B39A7B16B116E780F55ABC288E | SHA256:EEF69D005BF1C0B715C8D6205400D4755C261DD38DDFBBFE918E6EE91F21F1F0 | |||
| 2204 | Xvid-1.3.7-20191228.exe | C:\Users\admin\AppData\Local\Temp\BR3EDA.tmp | executable | |
MD5:924B90C3D9E645DFAD53F61EA4E91942 | SHA256:41788435F245133EC5511111E2C5D52F7515E359876180067E0B5BA85C729322 | |||
| 2204 | Xvid-1.3.7-20191228.exe | C:\Users\admin\AppData\Local\Temp\BR3EC9.tmp | executable | |
MD5:B226B75915B944BF20F96ADDFD6E4F87 | SHA256:91910BF7A630D272D5389AA6DAFC4E71F32298731B4F44D39B6A0B0D34BD1A3B | |||
| 2204 | Xvid-1.3.7-20191228.exe | C:\Users\admin\AppData\Local\Temp\BR38B8.tmp | executable | |
MD5:D31FA7D86A093997DA6252A984B7B6BD | SHA256:32D6CBFB9433BEDFA29CC46A0B7D2AB0FB6D084E8F2E9A8C55295065BBAD5128 | |||
| 2204 | Xvid-1.3.7-20191228.exe | C:\Users\admin\AppData\Local\Temp\BR3F2C.tmp | executable | |
MD5:606F13D4D580B1F322B3F3D3DF423BBA | SHA256:C71A16B1056E522CD0365449448116D06F37A3273D77694D170340064511DD25 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
DNS requests
Threats
Process | Message |
|---|---|
setpriv32.exe | Successfully changed DACL
|
setpriv32.exe | Successfully changed DACL
|
setavi32.exe | Successfully changed DACL
|