Malware analysis Best_m_Sample Malicious activity | ANY.RUN

Add for printing

File name:	Best_m_Sample
Full analysis:	https://app.any.run/tasks/f6ea7a2a-6023-4aa0-88f7-64eab1d3fcc4
Verdict:	Malicious activity
Analysis date:	June 12, 2019, 08:25:01
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	opendir
Indicators:
MIME:	video/mp4
File info:	ISO Media, MP4 v2 [ISO 14496-14]
MD5:	10DA9A1031C74D18A0016F0CD0E5A6A0
SHA1:	B2C96F2E5D4CD1529B3586272F280DE8225FFCF0
SHA256:	A5CD69F71675FC5690928D6329AE99E671067CDD8C2F78C5263183EAA0E44390
SSDEEP:	96:XuIWLaayaPacaxaOaZa4ata5aJaZai4m6pGapm6i4Gapm6pGai4J6pGm6pGapm6I:+nUnnCpQnnCUrJMwMCMt/auJYnTRo5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Creates files in the user directory
  - vlc.exe (PID: 2824)
INFO
- Manual execution by user
  - vlc.exe (PID: 2516)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.mp4	\|	Generic MP4 container (74.9)
.abr	\|	Adobe PhotoShop Brush (25)

EXIF

Composite

Rotation:	-
Megapixels:	0.13
ImageSize:	480x270

QuickTime

OpColor:	0 0 0
GraphicsMode:	srcCopy
HandlerDescription:	Apple Video Media Handler
HandlerType:	Video Track
HandlerClass:	Media Handler
MediaDuration:	0:00:30
MediaTimeScale:	600
MediaModifyDate:	2009:10:22 09:40:16
MediaCreateDate:	2009:10:22 09:40:16
MediaHeaderVersion:	-
ImageHeight:	270
ImageWidth:	480
MatrixStructure:	1 0 0 0 1 0 0 0 1
TrackVolume:	100.00%
TrackLayer:	-
TrackDuration:	0:00:30
TrackID:	1
TrackModifyDate:	2009:10:22 09:40:16
TrackCreateDate:	2009:10:22 09:40:16
TrackHeaderVersion:	-
NextTrackID:	5
CurrentTime:	0 s
SelectionDuration:	0 s
SelectionTime:	0 s
PosterTime:	0 s
PreviewDuration:	0 s
PreviewTime:	0 s
PreferredVolume:	100.00%
PreferredRate:	1
Duration:	0:00:30
TimeScale:	600
ModifyDate:	2009:10:22 09:40:16
CreateDate:	2009:10:22 09:40:16
MovieHeaderVersion:	-
CompatibleBrands:	mp42 avc1 mp42 mp41
MinorVersion:	0.0.1
MajorBrand:	MP4 v2 [ISO 14496-14]

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Parent process
2824	"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\AppData\Local\Temp\Best_m_Sample.mp4"	C:\Program Files\VideoLAN\VLC\vlc.exe	explorer.exe
User: admin Company: VideoLAN Integrity Level: MEDIUM Description: VLC media player Exit code: 0 Version: 2.2.6
2516	"C:\Program Files\VideoLAN\VLC\vlc.exe"	C:\Program Files\VideoLAN\VLC\vlc.exe	explorer.exe
User: admin Company: VideoLAN Integrity Level: MEDIUM Description: VLC media player Version: 2.2.6

Add for printing

Total events

381

Read events

381

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2824	vlc.exe	C:\Users\admin\AppData\Local\Temp\VLCEFC.tmp		—
		MD5:—	SHA256:—
2824	vlc.exe	C:\Users\admin\AppData\Roaming\vlc\vlcrc.2824		—
		MD5:—	SHA256:—
2824	vlc.exe	C:\Users\admin\AppData\Roaming\vlc\ml.xspf.tmp2824		—
		MD5:—	SHA256:—
2516	vlc.exe	C:\Users\admin\AppData\Local\Temp\vlc-3.0.7.1-win32.exe		—
		MD5:—	SHA256:—
2824	vlc.exe	C:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini		text
		MD5:FB42B7C390F248ABE0E5308314208BA6	SHA256:1B49C365F7FA713E83C04604AF9FC716A113EB45B858AB0E42205F9153C1BE40
2824	vlc.exe	C:\Users\admin\AppData\Roaming\vlc\vlcrc		text
		MD5:E93B49B91A2086F13A1CCE53B4989453	SHA256:B3AA0E46EC71CFEC09B05617941066170F1DE9684F79F99876E09F8BEE29AD6D
2516	vlc.exe	C:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini		text
		MD5:9510AF9ABF0DE26040B4AAEA28B9ADB0	SHA256:E07B48BEB757E4EE7D916F428DBC69ACA797FDBE85E317B880A39CF710DE669D
2824	vlc.exe	C:\Users\admin\AppData\Roaming\vlc\ml.xspf		xml
		MD5:781602441469750C3219C8C38B515ED4	SHA256:81970DBE581373D14FBD451AC4B3F96E5F69B79645F1EE1CA715CFF3AF0BF20D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2516	vlc.exe	GET	302	62.210.246.226:80	http://get.videolan.org/vlc/3.0.7.1/win32/vlc-3.0.7.1-win32.exe	FR	html	120 b	malicious
2516	vlc.exe	GET	206	88.191.250.2:80	http://update.videolan.org/vlc/status-win-x86	FR	text	344 b	malicious
2516	vlc.exe	GET	206	88.191.250.2:80	http://update.videolan.org/vlc/status-win-x86.asc	FR	asc	195 b	malicious
2516	vlc.exe	GET	302	195.154.241.219:80	http://get.videolan.org/vlc/3.0.7.1/win32/vlc-3.0.7.1-win32.exe.asc	FR	html	124 b	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2516	vlc.exe	88.191.250.2:80	update.videolan.org	Free SAS	FR	malicious
—	—	62.210.246.226:80	get.videolan.org	Online S.a.s.	FR	malicious
2516	vlc.exe	176.9.154.218:443	mirror.kumi.systems	Hetzner Online GmbH	DE	unknown
2516	vlc.exe	195.154.241.219:80	get.videolan.org	Online S.a.s.	FR	suspicious

DNS requests

Domain	IP	Reputation
update.videolan.org	88.191.250.2	unknown
get.videolan.org	62.210.246.226 195.154.241.219	unknown
mirror.kumi.systems	176.9.154.218	suspicious

Threats

No threats detected

Add for printing

Process	Message
vlc.exe	core libvlc: one instance mode ENABLED
vlc.exe	core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
vlc.exe	core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
vlc.exe	core libvlc: Status file authenticated
vlc.exe	gnutls tls session error: A TLS packet with unexpected length was received.
vlc.exe	core access error: read error: Bad file descriptor

General Info

Best_m_Sample

10DA9A1031C74D18A0016F0CD0E5A6A0

B2C96F2E5D4CD1529B3586272F280DE8225FFCF0

A5CD69F71675FC5690928D6329AE99E671067CDD8C2F78C5263183EAA0E44390

96:XuIWLaayaPacaxaOaZa4ata5aJaZai4m6pGapm6i4Gapm6pGai4J6pGm6pGapm6I:+nUnnCpQnnCUrJMwMCMt/auJYnTRo5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Creates files in the user directory

INFO

Manual execution by user

Malware configuration

Static information

TRiD

EXIF

Composite

QuickTime

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings