General Info

File name

Best_m_Sample

Full analysis
https://app.any.run/tasks/f6ea7a2a-6023-4aa0-88f7-64eab1d3fcc4
Verdict
Malicious activity
Analysis date
6/12/2019, 10:25:01
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

opendir

Indicators:

MIME:
video/mp4
File info:
ISO Media, MP4 v2 [ISO 14496-14]
MD5

10da9a1031c74d18a0016f0cd0e5a6a0

SHA1

b2c96f2e5d4cd1529b3586272f280de8225ffcf0

SHA256

a5cd69f71675fc5690928d6329ae99e671067cdd8c2f78c5263183eaa0e44390

SSDEEP

96:XuIWLaayaPacaxaOaZa4ata5aJaZai4m6pGapm6i4Gapm6pGai4J6pGm6pGapm6I:+nUnnCpQnnCUrJMwMCMt/auJYnTRo5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO

No malicious indicators.

Creates files in the user directory
  • vlc.exe (PID: 2824)
Manual execution by user
  • vlc.exe (PID: 2516)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.mp4
|   Generic MP4 container (74.9%)
.abr
|   Adobe PhotoShop Brush (25%)
EXIF
QuickTime
MajorBrand:
MP4 v2 [ISO 14496-14]
MinorVersion:
0.0.1
CompatibleBrands
null
null
null
null
MovieHeaderVersion:
null
CreateDate:
2009:10:22 09:40:16
ModifyDate:
2009:10:22 09:40:16
TimeScale:
600
Duration:
0:00:30
PreferredRate:
1
PreferredVolume:
100.00%
PreviewTime:
0 s
PreviewDuration:
0 s
PosterTime:
0 s
SelectionTime:
0 s
SelectionDuration:
0 s
CurrentTime:
0 s
NextTrackID:
5
TrackHeaderVersion:
null
TrackCreateDate:
2009:10:22 09:40:16
TrackModifyDate:
2009:10:22 09:40:16
TrackID:
1
TrackDuration:
0:00:30
TrackLayer:
null
TrackVolume:
100.00%
MatrixStructure:
1 0 0 0 1 0 0 0 1
ImageWidth:
480
ImageHeight:
270
MediaHeaderVersion:
null
MediaCreateDate:
2009:10:22 09:40:16
MediaModifyDate:
2009:10:22 09:40:16
MediaTimeScale:
600
MediaDuration:
0:00:30
HandlerClass:
Media Handler
HandlerType:
Video Track
HandlerDescription:
Apple Video Media Handler
GraphicsMode:
srcCopy
OpColor:
0 0 0
Composite
ImageSize:
480x270
Megapixels:
0.13
Rotation:
null

Screenshots

Processes

Total processes
33
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

+
start vlc.exe vlc.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2824
CMD
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\AppData\Local\Temp\Best_m_Sample.mp4"
Path
C:\Program Files\VideoLAN\VLC\vlc.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
VideoLAN
Description
VLC media player
Version
2.2.6
Modules
Image
c:\program files\videolan\vlc\vlc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\videolan\vlc\libvlc.dll
c:\program files\videolan\vlc\libvlccore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winmm.dll
c:\program files\videolan\vlc\plugins\access\libdshow_plugin.dll
c:\windows\system32\oleaut32.dll
c:\program files\videolan\vlc\plugins\audio_output\libdirectsound_plugin.dll
c:\program files\videolan\vlc\plugins\audio_output\libwaveout_plugin.dll
c:\program files\videolan\vlc\plugins\video_output\libdirect3d_plugin.dll
c:\program files\videolan\vlc\plugins\video_output\libdirectdraw_plugin.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\program files\videolan\vlc\plugins\control\libwin_msg_plugin.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\program files\videolan\vlc\plugins\control\libhotkeys_plugin.dll
c:\program files\videolan\vlc\plugins\access\libvdr_plugin.dll
c:\program files\videolan\vlc\plugins\control\libwin_hotkeys_plugin.dll
c:\program files\videolan\vlc\plugins\access\libfilesystem_plugin.dll
c:\program files\videolan\vlc\plugins\stream_filter\libsmooth_plugin.dll
c:\program files\videolan\vlc\plugins\gui\libqt4_plugin.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wsock32.dll
c:\program files\videolan\vlc\plugins\stream_filter\libhttplive_plugin.dll
c:\program files\videolan\vlc\plugins\stream_filter\libdash_plugin.dll
c:\program files\videolan\vlc\plugins\access\libzip_plugin.dll
c:\program files\videolan\vlc\plugins\access\librar_plugin.dll
c:\program files\videolan\vlc\plugins\stream_filter\librecord_plugin.dll
c:\program files\videolan\vlc\plugins\demux\libmp4_plugin.dll
c:\program files\videolan\vlc\plugins\meta_engine\libtaglib_plugin.dll
c:\program files\videolan\vlc\plugins\lua\liblua_plugin.dll
c:\windows\system32\userenv.dll
c:\program files\videolan\vlc\plugins\meta_engine\libfolder_plugin.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\videolan\vlc\plugins\access\liblibbluray_plugin.dll
c:\program files\videolan\vlc\plugins\access\libaccess_bd_plugin.dll
c:\program files\videolan\vlc\plugins\access\libdvdnav_plugin.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\program files\videolan\vlc\plugins\misc\libexport_plugin.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
2516
CMD
"C:\Program Files\VideoLAN\VLC\vlc.exe"
Path
C:\Program Files\VideoLAN\VLC\vlc.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
VideoLAN
Description
VLC media player
Version
2.2.6
Modules
Image
c:\program files\videolan\vlc\vlc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\videolan\vlc\libvlc.dll
c:\windows\system32\advapi32.dll
c:\program files\videolan\vlc\libvlccore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winmm.dll
c:\program files\videolan\vlc\plugins\access\libdshow_plugin.dll
c:\windows\system32\oleaut32.dll
c:\program files\videolan\vlc\plugins\audio_output\libdirectsound_plugin.dll
c:\program files\videolan\vlc\plugins\audio_output\libwaveout_plugin.dll
c:\program files\videolan\vlc\plugins\video_output\libdirect3d_plugin.dll
c:\program files\videolan\vlc\plugins\video_output\libdirectdraw_plugin.dll
c:\program files\videolan\vlc\plugins\access\liblibbluray_plugin.dll
c:\program files\videolan\vlc\plugins\access\libaccess_bd_plugin.dll
c:\program files\videolan\vlc\plugins\access\libdvdnav_plugin.dll
c:\program files\videolan\vlc\plugins\access\libvdr_plugin.dll
c:\program files\videolan\vlc\plugins\access\libfilesystem_plugin.dll
c:\program files\videolan\vlc\plugins\stream_filter\libsmooth_plugin.dll
c:\program files\videolan\vlc\plugins\stream_filter\libhttplive_plugin.dll
c:\program files\videolan\vlc\plugins\stream_filter\libdash_plugin.dll
c:\program files\videolan\vlc\plugins\access\libzip_plugin.dll
c:\program files\videolan\vlc\plugins\access\librar_plugin.dll
c:\program files\videolan\vlc\plugins\stream_filter\librecord_plugin.dll
c:\program files\videolan\vlc\plugins\demux\libplaylist_plugin.dll
c:\program files\videolan\vlc\plugins\meta_engine\libtaglib_plugin.dll
c:\program files\videolan\vlc\plugins\lua\liblua_plugin.dll
c:\program files\videolan\vlc\plugins\misc\libxml_plugin.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\program files\videolan\vlc\plugins\control\libhotkeys_plugin.dll
c:\program files\videolan\vlc\plugins\control\libwin_hotkeys_plugin.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\program files\videolan\vlc\plugins\gui\libqt4_plugin.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wsock32.dll
c:\windows\system32\userenv.dll
c:\program files\videolan\vlc\plugins\access\libhttp_plugin.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\program files\videolan\vlc\plugins\misc\libgnutls_plugin.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll

Registry activity

Total events
381
Read events
381
Write events
0
Delete events
0

Modification events

No registry activity.

Files activity

Executable files
0
Suspicious files
0
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
2516
vlc.exe
C:\Users\admin\AppData\Local\Temp\vlc-3.0.7.1-win32.exe
––
MD5:  ––
SHA256:  ––
2516
vlc.exe
C:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini
text
MD5: 9510af9abf0de26040b4aaea28b9adb0
SHA256: e07b48beb757e4ee7d916f428dbc69aca797fdbe85e317b880a39cf710de669d
2824
vlc.exe
C:\Users\admin\AppData\Roaming\vlc\vlcrc.2824
––
MD5:  ––
SHA256:  ––
2824
vlc.exe
C:\Users\admin\AppData\Roaming\vlc\ml.xspf
xml
MD5: 781602441469750c3219c8c38b515ed4
SHA256: 81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d
2824
vlc.exe
C:\Users\admin\AppData\Roaming\vlc\ml.xspf.tmp2824
––
MD5:  ––
SHA256:  ––
2824
vlc.exe
C:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini
text
MD5: f27b3c589c359ac6d6508b67ef2c8daf
SHA256: 52169d83b7c405bf2ce4fce95c3ab85c0dfd283a866367ef699e5be3c62deba7
2824
vlc.exe
C:\Users\admin\AppData\Roaming\vlc\vlcrc
text
MD5: e93b49b91a2086f13a1cce53b4989453
SHA256: b3aa0e46ec71cfec09b05617941066170f1de9684f79f99876e09f8bee29ad6d
2824
vlc.exe
C:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini
text
MD5: fb42b7c390f248abe0e5308314208ba6
SHA256: 1b49c365f7fa713e83c04604af9fc716a113eb45b858ab0e42205f9153c1be40
2824
vlc.exe
C:\Users\admin\AppData\Local\Temp\VLCEFC.tmp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
4
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2516 vlc.exe GET 206 88.191.250.2:80 http://update.videolan.org/vlc/status-win-x86 FR
text
unknown
2516 vlc.exe GET 206 88.191.250.2:80 http://update.videolan.org/vlc/status-win-x86.asc FR
asc
unknown
2516 vlc.exe GET 302 62.210.246.226:80 http://get.videolan.org/vlc/3.0.7.1/win32/vlc-3.0.7.1-win32.exe FR
html
malicious
2516 vlc.exe GET 302 195.154.241.219:80 http://get.videolan.org/vlc/3.0.7.1/win32/vlc-3.0.7.1-win32.exe.asc FR
html
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2516 vlc.exe 88.191.250.2:80 Free SAS FR unknown
–– –– 62.210.246.226:80 Online S.a.s. FR malicious
2516 vlc.exe 176.9.154.218:443 Hetzner Online GmbH DE unknown
2516 vlc.exe 195.154.241.219:80 Online S.a.s. FR unknown

DNS requests

Domain IP Reputation
update.videolan.org 88.191.250.2
unknown
get.videolan.org 62.210.246.226
malicious
mirror.kumi.systems 176.9.154.218
unknown

Threats

No threats detected.

Debug output strings

Process Message
vlc.exe core access error: read error: Bad file descriptor
vlc.exe core access error: read error: Bad file descriptor
vlc.exe core access error: read error: Bad file descriptor
vlc.exe core access error: read error: Bad file descriptor
vlc.exe core access error: read error: Bad file descriptor
vlc.exe core access error: read error: Bad file descriptor