File name:

Rover.exe

Full analysis: https://app.any.run/tasks/5fd49cd6-387b-46cb-9de2-f7be1d685905
Verdict: Malicious activity
Analysis date: February 13, 2024, 03:18:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

63D052B547C66AC7678685D9F3308884

SHA1:

A6E42E6A86E3FF9FEC137C52B1086EE140A7B242

SHA256:

8634E9241729F16A8C2C23D5C184384815B97026E3D1A2D6DD0DDC825B142ABA

SSDEEP:

98304:Oapmon4QzApS9hNQdrhEYzOi85kXNjMcDPWDnkE3DJ910Fx5mwAbguuwS09Fo:OQhn5EQ9hNQAYzA5k6cTWDn7JKObS09u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the login/logoff helper path in the registry

      • Rover.exe (PID: 3772)
    • UAC/LUA settings modification

      • Rover.exe (PID: 3772)
    • Drops the executable file immediately after the start

      • Rover.exe (PID: 3772)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Rover.exe (PID: 3772)
  • INFO

    • Reads the computer name

      • Rover.exe (PID: 3772)
    • Process checks whether UAC notifications are on

      • Rover.exe (PID: 3772)
    • Checks supported languages

      • Rover.exe (PID: 3772)
    • Reads the machine GUID from the registry

      • Rover.exe (PID: 3772)
    • Creates files or folders in the user directory

      • Rover.exe (PID: 3772)
    • Creates files in the program directory

      • Rover.exe (PID: 3772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:07:13 22:47:16+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 104448
InitializedDataSize: 5268992
UninitializedDataSize: -
EntryPoint: 0xcd2f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Desktop Assistant
CompanyName: -
FileDescription: Rover The Desktop Assistant (beta version)
FileVersion: 1.0.0.0
InternalName: Rover.exe
LegalCopyright: Copyright © 2023
LegalTrademarks: -
OriginalFileName: Rover.exe
ProductName: Created by CYBER SOLDIER aka Clutter
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
2472"C:\Users\admin\Desktop\Rover.exe" C:\Users\admin\Desktop\Rover.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Rover The Desktop Assistant (beta version)
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\rover.exe
c:\windows\system32\ntdll.dll
3772"C:\Users\admin\Desktop\Rover.exe" C:\Users\admin\Desktop\Rover.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Rover The Desktop Assistant (beta version)
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\rover.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
754
Read events
735
Write events
19
Delete events
0

Modification events

(PID) Process:(3772) Rover.exeKey:HKEY_CURRENT_USER\Software\rover
Operation:writeName:lang
Value:
English (EN)
(PID) Process:(3772) Rover.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:FilterAdministratorToken
Value:
1
(PID) Process:(3772) Rover.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(3772) Rover.exeKey:HKEY_CURRENT_USER\Software\rover
Operation:writeName:username
Value:
"nickname"
(PID) Process:(3772) Rover.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe, C:\Program Files\rover\rover.exe
(PID) Process:(3772) Rover.exeKey:HKEY_CURRENT_USER\Software\rover
Operation:writeName:tts_vol
Value:
50
(PID) Process:(3772) Rover.exeKey:HKEY_CURRENT_USER\Software\rover
Operation:writeName:tts_rate
Value:
0
(PID) Process:(3772) Rover.exeKey:HKEY_CURRENT_USER\Software\rover
Operation:writeName:filter_red
Value:
0
(PID) Process:(3772) Rover.exeKey:HKEY_CURRENT_USER\Software\rover
Operation:writeName:filter_green
Value:
0
(PID) Process:(3772) Rover.exeKey:HKEY_CURRENT_USER\Software\rover
Operation:writeName:filter_blue
Value:
0
Executable files
1
Suspicious files
12
Text files
496
Unknown types
4

Dropped files

PID
Process
Filename
Type
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.015.pngimage
MD5:DA259A8B6C3CC0E31F5A3E3FF2EC9857
SHA256:4839100A04F859F3450955DBA13094B2BD6B1893F6BAF075882DE54800BD3A9E
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.003.pngimage
MD5:CF62C5107B66367690832F72854BFFAE
SHA256:075B30FC4D1997D1826148D9A98DBE3A6B06EA53862FD2C453F5D6AD8C288E62
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.009.pngimage
MD5:571AFD578CFAEF347A6052AFE253461B
SHA256:6CC53BAC0224FEADA9FE44E4FF957EC187709858A07158EE6FF0B84A604D7110
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.005.pngimage
MD5:4568226931D995534E249F402AF4825A
SHA256:C1EF483BBF4DA565D3445A48A81B77B2DB2257AFD39C9B17B67E2E0277CFA24B
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.007.pngimage
MD5:72685D7C7CC4C77E20618264B4150331
SHA256:B67E7613906632BC3F8AEC7541F2D99FB73C9406183699F9EAB3D97952AEB81B
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.002.pngimage
MD5:A46F286AE95E280424E0C6D8F1213173
SHA256:49D69A5F0F84D89A458BF7E8FEA059F54F45ACE360D74DE22FE45ECEEC87BA16
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.006.pngimage
MD5:3D8699EC82F73E244B078D9F16BDAC5C
SHA256:B1F9AE224B7B7988E6FF76C9A951609BA88290B79BC295F015186495E693479F
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.004.pngimage
MD5:5F737B5A980C89BC41DBD33559902D29
SHA256:EC57C51CDAA4132218B00935F14BA1AEB0E9FA8AAC322C840F8C55B58D0D66EA
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.008.pngimage
MD5:B3F53C1DC286776CF34641C7B8256DFA
SHA256:43C42124AE7D35D7ACDEAFDBB16A890B4667B4089920810FBFD1CC19AB9AEFCA
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.010.pngimage
MD5:CB14927415ADCAC79057F0D907A19B83
SHA256:DC286D3373C6531C7F724FDE5AB241D639B19234AADA887C3D36CA0EF7E4AAAB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info