analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

vd_ppr-2.4.1.exe

Full analysis: https://app.any.run/tasks/87d2a2fd-7914-4427-b12f-4e89ecf179c4
Verdict: Malicious activity
Analysis date: April 14, 2019, 15:48:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

2303D57C88F6CE11849C61644ED0F72A

SHA1:

53093B8A3B7C5268C6B21D338479796BA94F310A

SHA256:

9F67B61F1642F36DB68B47E7E58CE71A61215BC4B32DADCA759718AE48B6850D

SSDEEP:

393216:9+dtnshGZ4n+JZsJVYkkJ5FNMym7DLzAT:9Xqzvs8kkJ5rMysf8T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • vd_ppr-2.4.1.exe (PID: 3584)
      • vd_ppr.exe (PID: 2104)
      • svchost.exe (PID: 840)

    • Application was dropped or rewritten from another process

      • vd_ppr.exe (PID: 2104)
      • vdjobman.dll (PID: 1080)

  • SUSPICIOUS

    • Creates files in the program directory

      • vd_ppr-2.4.1.exe (PID: 3584)

    • Creates a software uninstall entry

      • vd_ppr-2.4.1.exe (PID: 3584)

    • Executable content was dropped or overwritten

      • vd_ppr-2.4.1.exe (PID: 3584)

    • Starts application with an unusual extension

      • vd_ppr.exe (PID: 2104)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • vd_ppr-2.4.1.exe (PID: 3584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x323c
UninitializedDataSize: 1024
InitializedDataSize: 119808
CodeSize: 23552
LinkerVersion: 6
PEType: PE32
TimeStamp: 2009:12:05 23:50:46+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Dec-2009 22:50:46
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 05-Dec-2009 22:50:46
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005A5A
0x00005C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.4177
.rdata
0x00007000
0x00001190
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.18163
.data
0x00009000
0x0001AF98
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.70903
.ndata
0x00024000
0x0000A000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0002E000
0x00007858
0x00007A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.91231

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.10394
533
UNKNOWN
English - United States
RT_MANIFEST
2
4.88159
4264
UNKNOWN
English - United States
RT_ICON
3
5.88009
2216
UNKNOWN
English - United States
RT_ICON
4
5.50206
1384
UNKNOWN
English - United States
RT_ICON
5
5.47465
1128
UNKNOWN
English - United States
RT_ICON
102
2.71813
180
UNKNOWN
English - United States
RT_DIALOG
103
2.63539
76
UNKNOWN
English - United States
RT_GROUP_ICON
104
2.70992
344
UNKNOWN
English - United States
RT_DIALOG
105
2.68372
512
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start vd_ppr-2.4.1.exe no specs vd_ppr-2.4.1.exe vd_ppr.exe vdjobman.dll no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1096"C:\Users\admin\AppData\Local\Temp\vd_ppr-2.4.1.exe" C:\Users\admin\AppData\Local\Temp\vd_ppr-2.4.1.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3584"C:\Users\admin\AppData\Local\Temp\vd_ppr-2.4.1.exe" C:\Users\admin\AppData\Local\Temp\vd_ppr-2.4.1.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2104"C:\VisualData\vd_ppr\Local\vd_ppr.exe" C:\VisualData\vd_ppr\Local\vd_ppr.exe
explorer.exe
User:
admin
Company:
VisualData.ru
Integrity Level:
MEDIUM
Description:
Движок
Version:
1.0.0.0
1080C:\VisualData\vd_ppr\Local\vdjobman.dll 620 632 2104C:\VisualData\vd_ppr\Local\vdjobman.dllvd_ppr.exe
User:
admin
Integrity Level:
MEDIUM
840C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
408
Read events
396
Write events
12
Delete events
0

Modification events

(PID) Process:(3584) vd_ppr-2.4.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vd_ppr.exe
Operation:writeName:
Value:
C:\VisualData\vd_ppr\visualdata.exe
(PID) Process:(3584) vd_ppr-2.4.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Ïëàíèðîâàíèå ïðîèçâîäñòâà ðàáîò-2.4.1
Operation:writeName:DisplayName
Value:
VisualData Ïëàíèðîâàíèå ïðîèçâîäñòâà ðàáîò 2.4.1
(PID) Process:(3584) vd_ppr-2.4.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Ïëàíèðîâàíèå ïðîèçâîäñòâà ðàáîò-2.4.1
Operation:writeName:UninstallString
Value:
C:\VisualData\vd_ppr\uninst.exe
(PID) Process:(3584) vd_ppr-2.4.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Ïëàíèðîâàíèå ïðîèçâîäñòâà ðàáîò-2.4.1
Operation:writeName:DisplayIcon
Value:
C:\VisualData\vd_ppr\ppr-icon.ico
(PID) Process:(3584) vd_ppr-2.4.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Ïëàíèðîâàíèå ïðîèçâîäñòâà ðàáîò-2.4.1
Operation:writeName:DisplayVersion
Value:
2.4.1
(PID) Process:(3584) vd_ppr-2.4.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Ïëàíèðîâàíèå ïðîèçâîäñòâà ðàáîò-2.4.1
Operation:writeName:URLInfoAbout
Value:
http://www.visualdata.ru
(PID) Process:(3584) vd_ppr-2.4.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Ïëàíèðîâàíèå ïðîèçâîäñòâà ðàáîò-2.4.1
Operation:writeName:HelpLink
Value:
http://www.visualdata.ru
(PID) Process:(3584) vd_ppr-2.4.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Ïëàíèðîâàíèå ïðîèçâîäñòâà ðàáîò-2.4.1
Operation:writeName:Publisher
Value:
VisualData
(PID) Process:(3584) vd_ppr-2.4.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Ïëàíèðîâàíèå ïðîèçâîäñòâà ðàáîò-2.4.1
Operation:writeName:Contact
Value:
òåë/ôàêñ.: 8 (863) 239-92-54
(PID) Process:(3584) vd_ppr-2.4.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Ïëàíèðîâàíèå ïðîèçâîäñòâà ðàáîò-2.4.1
Operation:writeName:InstallLocation
Value:
C:\VisualData\vd_ppr
Executable files
8
Suspicious files
26
Text files
128
Unknown types
12

Dropped files

PID
Process
Filename
Type
3584vd_ppr-2.4.1.exeC:\VisualData\vd_ppr\Local\scenario.stg
MD5:
SHA256:
840svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:27BFFD90E081DEE316ABE45AFDD62629
SHA256:AD9A31DB4A3C7D160B4770098DC531F65AC55B101BD5C987FC132A09BCE51C7F
3584vd_ppr-2.4.1.exeC:\Users\admin\AppData\Local\Temp\nsn8C07.tmp\modern-wizard.bmpimage
MD5:755EE551622F820D4ADCA2FA92B5D9AB
SHA256:8EDE27442B843EE84BB733227EE7B2FFEC45F6B5D1CFDE7EB36348203C7428B4
3584vd_ppr-2.4.1.exeC:\Users\admin\AppData\Local\Temp\nsn8C07.tmp\ioSpecial.initext
MD5:1496C77D85003CE93C97C8FCC449F4A2
SHA256:CB4FD676451456859E4B8276CE22DBBF6CEF48B5C5F7A84E995FB4A752218928
3584vd_ppr-2.4.1.exeC:\Users\admin\AppData\Local\Temp\nsn8C07.tmp\modern-header.bmpimage
MD5:8C4FBF57882B49AF15A5956503298F5A
SHA256:08A64EFD306D643859BA3E48B78D0C8348C0F939C259531641AE9109DCC63465
3584vd_ppr-2.4.1.exeC:\VisualData\vd_ppr\Local\config.vdrdbf
MD5:D94609CE23DF575EC147499C841623F2
SHA256:166D7EEB1743D3AA3B997F2998EABE6BA2F1711C52E4E9F711B2D5016F3755D9
3584vd_ppr-2.4.1.exeC:\VisualData\vd_ppr\Local\log.dllexecutable
MD5:EC1E44616127CD10C9F8C4A5FEB1B1FE
SHA256:80E9A9A8E69D77332E98A0134C239D63AC77D1EF6AEA205BF9E42D2D61344B40
3584vd_ppr-2.4.1.exeC:\VisualData\vd_ppr\Local\vd_ppr.exeexecutable
MD5:1253D86FFFD38E010A32C66AC710E120
SHA256:DE59EA2B31EFA160F8EFF089A6C77C8921AF3F9377563F1A7F44952C2B7C7DB0
3584vd_ppr-2.4.1.exeC:\VisualData\vd_ppr\Local\extimg.vdrdbf
MD5:3FF8AEB958C50B4FB66098FE43DCF166
SHA256:2B7904765936F1BE73AC1BC310E2CA977669E54BD2FC188A638D19EF439179BC
3584vd_ppr-2.4.1.exeC:\VisualData\vd_ppr\Local\config.initext
MD5:3D2D8E6B0B63FBE0610CE1F2F8A0AAC3
SHA256:AFFA983AACD60673305FB507E60794489C82B059A7C1EC4AB3F7982C9D73F048
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
vd_ppr-2.4.1.exe