| File name: | disk2vhd.exe |
| Full analysis: | https://app.any.run/tasks/5a7c7554-830a-45d0-b3c1-fde24f536441 |
| Verdict: | Malicious activity |
| Analysis date: | April 27, 2024, 18:20:57 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 29346E15169118D7FCA8C820FCDDBE77 |
| SHA1: | 8B797DA550E45F9FFB84048F5FC2D483439F6EA6 |
| SHA256: | 7C2CA32561CC5D41606B86EBADD0A6A526F669A818FA40EA2023EAED02EFC4F7 |
| SSDEEP: | 6144:vMUC+baXRySumHF2iUsQdxzAeOaNREEVIWhrSEgSxiS+Us9:vMZLkSumHF2iUsQdmeOihri/Us9 |
MALICIOUS
Drops the executable file immediately after the start
- disk2vhd.exe (PID: 2104)
Creates a writable file in the system directory
- disk2vhd.exe (PID: 2104)
SUSPICIOUS
Process drops legitimate windows executable
- disk2vhd.exe (PID: 2104)
Executable content was dropped or overwritten
- disk2vhd.exe (PID: 2104)
Creates or modifies Windows services
- disk2vhd.exe (PID: 2104)
Creates file in the systems drive root
- disk2vhd.exe (PID: 2104)
Executes as Windows Service
- VSSVC.exe (PID: 2040)
INFO
Reads product name
- disk2vhd.exe (PID: 2104)
Checks supported languages
- disk2vhd.exe (PID: 2104)
Reads the computer name
- disk2vhd.exe (PID: 2104)
Reads Environment values
- disk2vhd.exe (PID: 2104)
Manual execution by a user
- explorer.exe (PID: 1932)
Reads the machine GUID from the registry
- disk2vhd.exe (PID: 2104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2021:10:11 17:09:07+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.29 |
| CodeSize: | 201216 |
| InitializedDataSize: | 1192448 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x197e3 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.0.2.0 |
| ProductVersionNumber: | 2.0.2.0 |
| FileFlagsMask: | 0x0017 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Unknown |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Sysinternals - www.sysinternals.com |
| FileDescription: | Disk to VHD converter |
| FileVersion: | 2.02 |
| InternalName: | Sysinternals Disk to VHD converter |
| LegalCopyright: | Copyright © 2009-2021 Mark Russinovich |
| OriginalFileName: | Disk2vhd |
| ProductName: | Disk2vhd |
| ProductVersion: | 2.02 |
Total processes
66
Monitored processes
9
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1932 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1964 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2040 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2104 | "C:\Users\admin\Desktop\disk2vhd.exe" | C:\Users\admin\Desktop\disk2vhd.exe | explorer.exe | ||||||||||||
User: admin Company: Sysinternals - www.sysinternals.com Integrity Level: HIGH Description: Disk to VHD converter Version: 2.02 Modules
| |||||||||||||||
| 2428 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2980 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3504 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3972 | "C:\Users\admin\Desktop\disk2vhd.exe" | C:\Users\admin\Desktop\disk2vhd.exe | — | explorer.exe | |||||||||||
User: admin Company: Sysinternals - www.sysinternals.com Integrity Level: MEDIUM Description: Disk to VHD converter Exit code: 3221226540 Version: 2.02 Modules
| |||||||||||||||
| 3996 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
12 911
Read events
12 776
Write events
135
Delete events
0
Modification events
| (PID) Process: | (2104) disk2vhd.exe | Key: | HKEY_CURRENT_USER\Software\Sysinternals\Disk2Vhd |
| Operation: | write | Name: | EulaAccepted |
Value: 1 | |||
| (PID) Process: | (2104) disk2vhd.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\PCI#VEN_8086&DEV_7111 |
| Operation: | write | Name: | Service |
Value: intelide | |||
| (PID) Process: | (2104) disk2vhd.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\PCI#VEN_8086&DEV_7111 |
| Operation: | write | Name: | ClassGUID |
Value: {4D36E96A-E325-11CE-BFC1-08002BE10318} | |||
| (PID) Process: | (2104) disk2vhd.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\intelide |
| Operation: | write | Name: | Start |
Value: 0 | |||
| (PID) Process: | (2104) disk2vhd.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\atapi |
| Operation: | write | Name: | Start |
Value: 0 | |||
| (PID) Process: | (2104) disk2vhd.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 400000000000000098AA7BB1CF98DA013808000048010000E8030000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2040) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000000E5B8CB1CF98DA01F80700009C080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2040) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 400000000000000068BD8EB1CF98DA01F807000008090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2040) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 400000000000000068BD8EB1CF98DA01F8070000EC070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2040) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 400000000000000068BD8EB1CF98DA01F807000054070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
1
Suspicious files
2
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2104 | disk2vhd.exe | C:\Windows\bootstat.dat | smt | |
MD5:2A4D1FB13A9F2EDA39DA82A29618A16C | SHA256:276DF8DA5975B5DF1E695219A7D9D8EDBE3A879D4EF615B9EAB322547D19D9D3 | |||
| 2104 | disk2vhd.exe | C:\Windows\system32\halacpi.dll.bak | executable | |
MD5:8C2EFB939D274594148DC7F1CA97B7D7 | SHA256:B037BCAF15DD7AAD0A7E41E852EEAA10E971B47EE670D693B6EE47BFA2B81423 | |||
| 2104 | disk2vhd.exe | C:\Windows\bootstat.dat.bak | binary | |
MD5:2A4D1FB13A9F2EDA39DA82A29618A16C | SHA256:276DF8DA5975B5DF1E695219A7D9D8EDBE3A879D4EF615B9EAB322547D19D9D3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |