analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

WinCDEmu-4.1.exe

Full analysis: https://app.any.run/tasks/87eef481-a0f0-40b2-a1ac-1438ccb015a2
Verdict: Malicious activity
Analysis date: April 23, 2019, 17:37:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

4E53BEFE779F677B1CCEC54B84F60A8C

SHA1:

9FF4F2ED41D5BD09496D2CFB6E09C4B31659DC19

SHA256:

C47763631D20120057766F2F71F781BF958E22712DA4AC933B21DB0D615DC93C

SSDEEP:

49152:kCFdVNpsRKZdJ0ya6wWfumwumbp/afUD+6EVV4dDD/:kaVNpsIF0ya6wWf32p/69Z4dDj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 884)
      • regsvr32.exe (PID: 2816)

    • Registers / Runs the DLL via REGSVR32.EXE

      • uninstall.exe (PID: 2356)

    • Application was dropped or rewritten from another process

      • drvinst32.exe (PID: 3356)
      • uninstall.exe (PID: 2356)
      • VirtualAutorunDisabler.exe (PID: 3388)
      • vmnt.exe (PID: 3932)

    • Changes settings of System certificates

      • drvinst32.exe (PID: 3356)

  • SUSPICIOUS

    • Creates COM task schedule object

      • regsvr32.exe (PID: 2816)
      • regsvr32.exe (PID: 884)

    • Modifies the open verb of a shell class

      • WinCDEmu-4.1.exe (PID: 3888)

    • Executable content was dropped or overwritten

      • WinCDEmu-4.1.exe (PID: 3888)
      • drvinst32.exe (PID: 3356)
      • DrvInst.exe (PID: 3408)
      • DrvInst.exe (PID: 3060)

    • Creates files in the program directory

      • WinCDEmu-4.1.exe (PID: 3888)

    • Adds / modifies Windows certificates

      • drvinst32.exe (PID: 3356)

    • Removes files from Windows directory

      • DrvInst.exe (PID: 3408)
      • DrvInst.exe (PID: 3060)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 3408)
      • DrvInst.exe (PID: 3060)

    • Searches for installed software

      • DrvInst.exe (PID: 3408)

    • Uses RUNDLL32.EXE to load library

      • DrvInst.exe (PID: 3408)

    • Creates files in the Windows directory

      • DrvInst.exe (PID: 3408)
      • DrvInst.exe (PID: 3060)

    • Creates a software uninstall entry

      • WinCDEmu-4.1.exe (PID: 3888)

  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 1380)

    • Changes settings of System certificates

      • DrvInst.exe (PID: 3408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

ProductVersion: 4.1
ProductName: WinCDEmu
OriginalFileName: WinCDEmu-installer.exe
LegalTrademarks: Sysprogs
LegalCopyright: LGPL
FileVersion: 4.1
FileDescription: WinCDEmu installer
CompanyName: Sysprogs OU
Comments: http://wincdemu.sysprogs.org/
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0017
ProductVersionNumber: 4.1.0.0
FileVersionNumber: 4.1.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x5a900
UninitializedDataSize: 249856
InitializedDataSize: 40960
CodeSize: 118784
LinkerVersion: 10
PEType: PE32
TimeStamp: 2015:09:30 20:31:31+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-Sep-2015 18:31:31
Detected languages:
  • English - United States
  • Russian - Russia
Comments: http://wincdemu.sysprogs.org/
CompanyName: Sysprogs OU
FileDescription: WinCDEmu installer
FileVersion: 4.1
LegalCopyright: LGPL
LegalTrademarks: Sysprogs
OriginalFilename: WinCDEmu-installer.exe
ProductName: WinCDEmu
ProductVersion: 4.1

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 30-Sep-2015 18:31:31
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x0003D000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x0003E000
0x0001D000
0x0001CC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.92791
.rsrc
0x0005B000
0x0000A000
0x00009A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.51966

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.20785
886
Latin 1 / Western European
English - United States
RT_MANIFEST
2
7.41892
498
Latin 1 / Western European
Russian - Russia
RT_DIALOG
3
7.42632
528
Latin 1 / Western European
Russian - Russia
RT_DIALOG
4
7.42614
432
Latin 1 / Western European
Russian - Russia
RT_DIALOG
5
6.89497
374
Latin 1 / Western European
Russian - Russia
RT_DIALOG
6
7.61588
744
Latin 1 / Western European
Russian - Russia
RT_ICON
7
7.56565
872
Latin 1 / Western European
Russian - Russia
RT_ICON
8
7.67495
1248
Latin 1 / Western European
Russian - Russia
RT_STRING
9
7.39595
702
Latin 1 / Western European
Russian - Russia
RT_STRING
70
7.25449
626
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.DLL
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
14
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start start wincdemu-4.1.exe no specs wincdemu-4.1.exe uninstall.exe no specs virtualautorundisabler.exe no specs regsvr32.exe no specs regsvr32.exe no specs drvinst32.exe drvinst.exe rundll32.exe no specs vssvc.exe no specs drvinst.exe no specs drvinst.exe vmnt.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3084"C:\Users\admin\AppData\Local\Temp\WinCDEmu-4.1.exe" C:\Users\admin\AppData\Local\Temp\WinCDEmu-4.1.exeexplorer.exe
User:
admin
Company:
Sysprogs OU
Integrity Level:
MEDIUM
Description:
WinCDEmu installer
Exit code:
3221226540
Version:
4.1
3888"C:\Users\admin\AppData\Local\Temp\WinCDEmu-4.1.exe" C:\Users\admin\AppData\Local\Temp\WinCDEmu-4.1.exe
explorer.exe
User:
admin
Company:
Sysprogs OU
Integrity Level:
HIGH
Description:
WinCDEmu installer
Exit code:
0
Version:
4.1
2356"C:\Program Files\WinCDEmu\uninstall.exe" /UPDATEC:\Program Files\WinCDEmu\uninstall.exeWinCDEmu-4.1.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3388"C:\Program Files\WinCDEmu\x86\VirtualAutorunDisabler.exe" /RegServerC:\Program Files\WinCDEmu\x86\VirtualAutorunDisabler.exeuninstall.exe
User:
admin
Company:
Sysprogs OU
Integrity Level:
HIGH
Description:
WinCDEmu autorun disabling module
Exit code:
0
Version:
4.1
884"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\WinCDEmu\x86\VirtualAutorunDisablerPS.dll"C:\Windows\System32\regsvr32.exeuninstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2816"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\WinCDEmu\x86\WinCDEmuContextMenu.dll"C:\Windows\System32\regsvr32.exeuninstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3356C:\Users\admin\AppData\Local\Temp\ssi187D.tmp\drvinst32.exe instroot "root\BazisVirtualCDBus" "C:\Program Files\WinCDEmu\BazisVirtualCDBus.inf"C:\Users\admin\AppData\Local\Temp\ssi187D.tmp\drvinst32.exe
WinCDEmu-4.1.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3408DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{3e84f513-4efb-2b1a-2447-b41129302f6f}\bazisvirtualcdbus.inf" "0" "6aa431c33" "0000053C" "WinSta0\Default" "000004CC" "208" "c:\program files\wincdemu"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3240rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{35c71a00-44c9-7ea7-2a6f-1a64fc668f75} Global\{703a2c06-5c15-497e-d598-3007c0d8326e} C:\Windows\System32\DriverStore\Temp\{3c1b5b34-ce6f-09a5-6988-2c65f0a7ec4a}\bazisvirtualcdbus.inf C:\Windows\System32\DriverStore\Temp\{3c1b5b34-ce6f-09a5-6988-2c65f0a7ec4a}\BazisVirtualCDBus.catC:\Windows\system32\rundll32.exeDrvInst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1380C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
695
Read events
368
Write events
0
Delete events
0

Modification events

No data
Executable files
21
Suspicious files
63
Text files
245
Unknown types
6

Dropped files

PID
Process
Filename
Type
3888WinCDEmu-4.1.exeC:\Program Files\WinCDEmu\x86\VirtualAutorunDisabler.exeexecutable
MD5:98E22C7CD9BAECA08875EAFD182C13FC
SHA256:06969D6F39A5C181580C7A418D1795CB1A1D890EBA07E8125F18A58FA8476423
3888WinCDEmu-4.1.exeC:\Program Files\WinCDEmu\batchmnt64.exeexecutable
MD5:EF5F980E1E1DBDF454673206751BF255
SHA256:4A363E27B849A994250E6F2E4C9B4DD56F70F7CF9FF78375B3EE23244F1F9B6E
3888WinCDEmu-4.1.exeC:\Program Files\WinCDEmu\langfiles\vmnt_Bengali.lngbinary
MD5:D23C884983ACDD3E39D905B456A93810
SHA256:A7F22EA0BBBF9C22AC7E3B6F72785E41CABEAB35A762A55CDD0782015A5DD029
3888WinCDEmu-4.1.exeC:\Program Files\WinCDEmu\batchmnt.exeexecutable
MD5:5E6561921A7722EA025A79172E7B443E
SHA256:C694D42D19DAA784687B9146D19B7797B937E151A8AA7155904F54A1A6FD7A84
3888WinCDEmu-4.1.exeC:\Program Files\WinCDEmu\vmnt64.exeexecutable
MD5:BF26C935FFD4C25FFF6731DBF73D2212
SHA256:40DBCF0EC787455837EC5D7439874B1CE6F586A570AF8D5132F09CEC531B97C7
3888WinCDEmu-4.1.exeC:\Program Files\WinCDEmu\uninstall64.exeexecutable
MD5:2ED433C12CFA75908EB790FC8B23EA9E
SHA256:9590EBD10C8CF1D58CC7FF543923E22DBDFC901EA5643F0E59670EF911694C90
3888WinCDEmu-4.1.exeC:\Program Files\WinCDEmu\langfiles\vmnt_Catalan.lngbinary
MD5:AB6B693AB0D2E076F38C5A1F66F0178C
SHA256:46A16FEDDA9AE1F6A80C932ABE28E883BA87DD475E84CED6888F2B49A52866A3
3888WinCDEmu-4.1.exeC:\Program Files\WinCDEmu\x64\WinCDEmuContextMenu.dllexecutable
MD5:E3526F364347D94C329A8CA6D8DF17DA
SHA256:0CA454FA57A90A4D899E0797D0AFF5364260F3649B963D21582FA7010E419C2A
3888WinCDEmu-4.1.exeC:\Program Files\WinCDEmu\x64\VirtualAutorunDisabler.exeexecutable
MD5:6F587118EB5B019F61B864FAAFD6EBCD
SHA256:2606D333535BF625104D881ECA62043C431BA3851DAD29EDC5D090ED7CE1509C
3888WinCDEmu-4.1.exeC:\Program Files\WinCDEmu\langfiles\vmnt_bulgarian.lngbinary
MD5:BDE8E065B9964471A94577ABC273C6A2
SHA256:2EF90CAFDF86FD7F9EAD5278F8A089048C3FECDF17C7F92B8086C12E73D3AE7B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
WinCDEmu-4.1.exe